The deadline to implement the Updated Guide on the Use of Cookies (Updated Guide) released by the Agencia Española de Protección de Datos, the Spanish Data Protection Authority (AEPD) was 31st October 2020. Organizations were provided a three-month transition period to adopt the Updated Guide when it was released on 28 July 2020. It aligns with the latest guidelines of the European Data Protection Board on consent.
Some of the key takeaways of the Updated Guide are set out below:
For consent to be valid, it must be freely granted and informed. The option to “continue browsing”, user click, scrolling, navigation, or any such similar behavior do not constitute valid forms of consent. Consent is deemed to be valid only where the user has made a clear affirmative and unequivocal action. Consent must be given for each specific purpose to ensure granularity.
- Separate consent to the use of cookies:
The acceptance of the use of cookies must be separate from the acceptance of the terms and conditions of the use of the website or service or the privacy policy of the website.
- Transparency requirement:
The information about cookies provided at the time of requesting the user’s consent must be sufficiently complete to allow users to understand its purpose and use. The information must be provided in a concise, transparent, and intelligible manner using clear and simple language. The use of phrases that confuse or distort the clarity of the message should be avoided.
- Layered information format:
One of the ways for obtaining consent to the use of cookies is to provide layered information.
-
- First information layer: containing essential information such as the identity of the website publisher, the purposes for which cookies will be used, information whether the cookies will be used only by the publisher or also by third parties, information on the type of data to be collected and used, the mode in which a user can accept, configure or reject to the use of cookies, and a clearly visible link taking the user to the second information layer or the cookie policy. This information should be provided to users before the installation of cookies in a format that is visible to users. The Updated Guide provides several valid examples of a first information layer.
- Second information layer: containing detailed information as required under Article 13 of the GDPR such as the definition and generic function of cookies, information about the type of cookies that are used and their purpose, identification of who uses the cookies, information on how to accept, deny or revoke consent to the use of cookies, data retention period and where appropriate, information on the data transfers to third countries and when profiling involves decision-making automated with legal effects for the user or significantly affect users similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences. The cookie policy should be easily and permanently accessible to users.
- Accessibility and visibility of cookies:
The information about cookies must be easily accessible. The accessibility and visibility can be enhanced in several ways:
-
- By increasing the link size to the information or using a source different to distinguish that link from the normal text of the website,
- By positioning the link in areas that capture the attention of users or where an average user expects to find it,
- By using descriptive and intuitive names for the link,
- By boxing, underlining, or using other techniques to highlight the importance of the link.
- Easy withdrawal of consent:
Website publishers must allow users to withdraw consent to the use of cookies at any time. The method to withdraw cookies must be made as easy as obtaining consent. A button to reject all cookies must be installed.
As a general rule, website publishers cannot make access to a service or its functionalities conditional on the user’s acceptance of the use of cookies. Where non-acceptance to the use of cookies prevents access to the website, totally or partially,
- the user must be properly informed about it,
- alternative access to the service must be offered to the user without requiring to accept the cookies,
- the services of both alternatives offered to the user must be genuinely equivalent, and
- the alternatives must be offered by the publisher and not by any other entity.
In the case of children under 14 years of age, website publishers must make reasonable efforts to verify that the consent for the processing of personal data is given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment.
The validity of consent provided by a user for the use of a certain cookie must not have a duration longer than 24 months. During this time, the selection made by the user must be preserved so that the user is not asked to provide consent every single time he or she visits the page in question unless the purpose of cookies is changed.
Website publishers and third parties managing the cookies can define their relationships through contractual arrangements. However, the administrative liability against non-compliance with the cookie consent requirements cannot be contractually transferred to the other party. Therefore, both website publishers and third parties acting as processors must fulfill their respective obligations.
How Securiti can help?
Securiti’s Cookie Consent Banner Solution enables companies to build cookie consent banners in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management Solution captures consent and automates revocation fulfillment.
