Securiti announces a $75M Series C Funding Round


Andorra’s Guidelines on the Use of Cookies

By Privacy Research Team
Published on January 5, 2023

Listen to the content

The Andorran Data Protection Agency (APDA) released an updated version of its Guide on the use of cookies, privacy policy and legal notice in September 2022 (Guidelines). The amended version of the Guidelines conforms with the changes in the Andorran legal framework introduced by Andorra’s new Law 29/2021 (Personal Data Protection Law).

The Andorran APDA specifies that the Guidelines are not intended to provide a one-size-fits-all solution for all businesses but rather offer tools that businesses may rely on to ensure legal compliance depending upon their particular interests and business model.

It is important to note that Andorran companies, in addition to Law 29/2021, may also be subject to the European Union’s General Data Protection Regulation in the following scenarios, and thus should develop compliance with its provisions:

  • They offer goods and services in the EU;
  • They have a branch in an EU country; or
  • They monitor the activity of EU residents.

Requirements Applicable to the Use of Cookies

The Guidelines specify the following requirements in relation to the use of cookies. Adherence to these requirements will help websites remain compliant with their data protection legal obligations.

  • User’s consent must always be obtained prior to the activation of non-essential cookies. Consent should be free, informed, specific, unequivocal, and captured by a clear affirmative statement or action by the data subject.
  • Organizations are recommended to maintain consent records, including the status of a user’s consent (i.e., whether they have accepted or rejected all cookies or customized them) and the date and time for the provision of consent.
  • Data controllers have the burden of proving that they have collected the consent of users for the use of cookies as per the legal requirements.
  • Users should be informed of the existence of technical or strictly necessary cookies and their purposes.
  • Consent should be given voluntarily, without any element of pressure or undue influence. If a website offers an incentive to users for giving consent, such consent is valid, provided the lack of consent by a user does not negatively affect the quality of service received by them.
  • While obtaining consent from users, all information should be communicated to the users in a simple, clear, comprehensible and sufficiently recognizable manner. In this respect, merely providing the users with the link to the general conditions of a website or an app is not sufficient. In fact, there must be a cookie consent banner on the homepage of the website consisting of an option to accept and reject cookies, a link to allow users to customize their cookie choices, and a detailed cookie policy. The use of overly technical language or phrases that induce confusion is prohibited.
  • Users must be provided with the following minimum information before their consent is collected:
    • The identity of the data controller(s), which may be provided in the cookie policy itself or through a hyperlink to another platform detailing the requisite information - the following information must also be provided in relation to the data controller(s):
      • official name of the company;
      • details of the registered office;
      • registration information of the company or details of the parent act in case of a public entity;
      • contact address(es); and
      • identity of the data protection officer, if any, and their contact details;
    • The personal data to be collected;
    • The processing purposes;
    • The cookie retention period;
    • The process of accepting or rejecting cookies and the consequences for said actions;
    • The existence of the right to withdraw consent at any time and the mechanism of doing so; and
    • The potential recipients of the data collected.
  • Users have the right to know the identity of the entity in charge of collecting and processing of their data.
  • Consent should be obtained through an express affirmative action, such as clicking on “I consent,” “I accept,” or similar buttons. Users should be aware that they are giving consent to the processing of their data through a particular action. Mere inactivity, such as a user continuing to browse a website, does not imply consent.
  • Options allowing global acceptance or rejection of cookies are valid so long as the option to customize cookies is equally visible and accessible in order to enable the data subject to opt-in and opt-out of specific cookie categories.
  • The data subject should be able to withdraw consent as easily and in the same manner as consent is granted. Users should be able to withdraw consent without suffering any adverse consequences. Users should also be informed that the withdrawal of consent will not affect the legality of any prior data processing based on their consent and that the data controller may continue to process their data based on any other lawful processing grounds if applicable.
  • If all cookies used on a website are required for such processing purposes that do not require the users’ consent, it is not necessary to inform the users of the use of cookies or obtain their consent.
  • If cookies from third parties are used for the provision of a service requested by the user, the service provision contract should establish expressly that the service providers shall not process the data for any purpose other than to provide the requisite service. Otherwise, it would be necessary to inform the users of the other purposes and obtain their consent.
  • If third-party cookies are used for purposes that require the user’s consent:
    • The publisher of the website should ensure that the users receive the necessary information about the cookies, and the mechanisms for providing and revoking consent are enabled; and
    • The relevant third party should ensure that the information provided to the users is not outdated and is offered in the language of the website.

    The foregoing respective obligations, along with the consequences of the revocation of consent for the publisher and the third party, should be enumerated in a contract entered into between the two entities.

  • To summarize, while developing their cookie policy, organizations must ensure the provision of the following tools and information:
    • Cookie banner on the main page of the website consisting of options to accept all cookies or reject all cookies, and a link to customize the use of cookies on its first information layer (the link will take the user to a more detailed cookie policy and the second information layer from where the user can make granular choices with respect to the cookies);
    • Requisite information relating to the data controller;
    • Description and purposes of the cookies being used;
    • Specification of the personal data collected through the cookies, provided if no personal data is collected through cookies, the same should be highlighted;
    • Purposes of data processing;
    • Types of cookies being used, accompanied by their brief description on the first information layer of the cookie banner - the second information layer must explain the cookie purposes in detail;
    • Expiry period of the cookies;
    • Recipients of the personal data collected through the cookies - the list of recipients may be provided in the cookie policy, or the link to the list may be provided in the policy;
    • Mechanism of revoking consent - guidance should also be provided to users on how to delete the cookies stored in their operating systems and how to disable consent in different browsers; and
    • Details of periodic cookie policy reviews to be conducted by the website publisher.

How Securiti can Help

Securiti’s Cookie Consent Solution helps organizations comply with applicable cookie consent legal requirements with the help of the following features:

  • The implementation of an opt-in cookie consent banner and deactivation of non-essential cookies by default for the opt-in regime;
  • The ability to design legally appropriate cookie consent banners, which provide all requisite information to users for consent to be informed and specific;

The ability to design equally prominent accept and reject fields on the cookie consent banner;

  • Configurable consent preference centers allowing granular consent opt-ins and opt-outs and honoring immediate consent revocations; and
  • Updated and comprehensive consent records.

Ask for a DEMO to understand how Securiti can help you comply with cookie consent requirements of global privacy laws.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


G2vEase Of Doing Business With G2 Highest User Adoption Adoption G2 Leader Enterprise Leader G2 leader G2 Momentum Leader G2 Users Most Likely To Recommend RSAC Leader Forrester Badge Snowflake Partner Badge IAPP Innovation award 2020 Gartner Cool Vendor Award Sinet Innovator Award