Andorra’s Guidelines on the Use of Cookies

The Andorran Data Protection Agency (APDA) released an updated version of its Guide on the use of cookies, privacy policy and legal notice on 15 December 2023 (Guidelines). The Guide integrates the recommendations outlined in the European Data Protection Board’s (EDPB) Directive on deceptive design patterns in the interfaces of social media platforms: how to recognize and avoid them (February 2023) and the Directive on the technical scope of art. 5 of the ePrivacy Directive (January 2024).

The Andorran APDA specifies that the Guidelines are not intended to provide a one-size-fits-all solution for all businesses but rather offer tools that businesses may rely on to ensure legal compliance depending upon their particular interests and business model.

It is important to note that Andorran companies, in addition to Law 29/2021, may also be subject to the European Union’s General Data Protection Regulation (GDPR) in the following scenarios and thus should develop compliance with its provisions:

• They offer goods and services in the EU;
• They have a branch in an EU country; or
• They monitor the activity of EU residents.

Requirements Applicable to the Use of Cookies

The Guidelines specify the following requirements regarding the use of cookies. Adherence to these requirements will help websites remain compliant with their data protection legal obligations.

• User’s consent must always be obtained prior to the activation of non-essential cookies. Consent should be free, informed, specific, unequivocal, and captured by a clear affirmative statement or action by the data subject.
• Organizations are recommended to maintain consent records, including the status of a user’s consent (i.e., whether they have accepted or rejected all cookies or customized them) and the date and time for the provision of consent.
• Data controllers have the burden of proving that they have collected the consent of users for the use of cookies as per the legal requirements.
• Users should be informed of the existence of technical or strictly necessary cookies and their purposes.
• Consent should be given voluntarily, without any element of pressure or undue influence. If a website offers an incentive to users to give consent, such consent is valid, provided the lack of consent by a user does not negatively affect the quality of service received by them.
• In some cases, non-acceptance of cookies may totally or partially limit website access or service use, provided the user is adequately informed of the consequences and offered alternatives. These alternatives, though not necessarily free, should be reasonable and provide equal guarantees of access without cookie acceptance. If alternatives are offered, users must understand the consequences of each option.
• While obtaining consent from users, all information should be communicated to the users in an easily visible, intelligible, and clearly legible manner. In this respect, merely providing the users with the link to the general conditions of a website or an app is not sufficient. In fact, there must be a cookie consent banner on the homepage of the website consisting of an option to accept and reject cookies, a link to allow users to customize their cookie choices, and a detailed cookie policy. Pre-marked boxes in the second layer, where the users can customize their choices, do not constitute valid consent.
• The use of overly technical language or phrases that induce confusion is prohibited. 
• Users must be provided with the following minimum information before their consent is collected:
  • The identity of the data controller(s), which may be provided in the cookie policy itself or through a hyperlink to another platform detailing the requisite information - the following information must also be provided in relation to the data controller(s):
    • official name of the company;
    • details of the registered office;
    • contact address(es); and
    • identity of the data protection officer, if any, and their contact details;
  • The personal data to be collected;
  • The processing purposes;
  • The cookie retention period (twenty-five months is the maximum recommended storage time of cookies);
  • The process of accepting or rejecting cookies and the consequences for said actions;
  • The existence of the right to withdraw consent at any time and the mechanism of doing so; and
  • The potential recipients of the data collected.
• Users have the right to know the identity of the entity in charge of collecting and processing their data. 
• The cookie policy's acceptance/rejection must have a simple visual format, and consent should be obtained through an express affirmative action, such as clicking on “I consent,” “I accept,” or similar buttons. Users should be aware that they are giving consent to the processing of their data through a particular action. Mere inactivity, such as a user continuing to browse a website, does not imply consent.
• The absence of the reject button or a similar option in the first layer constitutes a legal violation.
• Confusing colors and contrasts that may lead to a user choosing one option over another may invalidate the consent given.
• Options allowing global acceptance or rejection of cookies are valid so long as the option to customize cookies is equally visible and accessible in order to enable the data subject to opt-in and opt-out of specific cookie categories. 
• The data subject should be able to withdraw consent as easily, and in the same manner, as consent is granted. Users should be able to withdraw consent without suffering any adverse consequences. Users should also be informed that the withdrawal of consent will not affect the legality of any prior data processing based on their consent and that the data controller may continue to process their data based on any other lawful processing grounds if applicable. 
• If all cookies used on a website are required for processing purposes that do not require the users’ consent, it is not necessary to inform the users of the use of cookies or obtain their consent. 
• If cookies from third parties are used to provide a service requested by the user, the service provision contract should expressly state that the service providers shall not process the data for any purpose other than to provide the requisite service. Otherwise, it would be necessary to inform the users of the other purposes and obtain their consent. 
• For minors under 16, consent must be given, or processing must be authorized by their legal representatives.
• If third-party cookies are used for purposes that require the user’s consent:
  • The publisher of the website should ensure that the users receive the necessary information about the cookies, and the mechanisms for providing and revoking consent are enabled; and
  • The relevant third party should ensure that the information provided to the users is not outdated and is offered in the language of the website.

  The foregoing respective obligations, along with the consequences of the revocation of consent for the publisher and the third party should be enumerated in a contract entered into between the two entities.

• To summarize, while developing their cookie policy, organizations must ensure the provision of the following tools and information:
  • A cookie banner on the main page of the website consisting of options to accept all cookies or reject all cookies, and a link that enables users to customize the use of cookies on the first information layer (the link will take the user to a more detailed cookie policy and the second information layer from where the user can make granular choices with respect to the cookies);
  • Requisite information relating to the data controller;
  • Description and purposes of the cookies being used;
  • Specification of the personal data collected through the cookies, provided if no personal data is collected through cookies, the same should be highlighted;
  • Purposes of data processing;
  • Types of cookies being used, accompanied by their brief description on the first information layer of the cookie banner - the second information layer must explain the cookie purposes in detail;
  • Expiry period of the cookies;
  • Recipients of the personal data collected through the cookies - the list of recipients may be provided in the cookie policy, or the link to the list may be provided in the policy;
  • Mechanism of revoking consent - guidance should also be provided to users on how to delete the cookies stored in their operating systems and how to disable consent in different browsers; and
  • Details of periodic cookie policy reviews to be conducted by the website publisher.

How Securiti Can Help

Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:

• The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime;
• The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific;
• The ability to design equally prominent accept and reject fields on the cookie consent banner;
• Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations; and 
• Updated and comprehensive consent records.

Request a demo to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.