The Spanish Data Protection Authority (AEPD) released an updated guidance on the use of cookies in May 2024. The guidance was updated to align it with the Opinion 8/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms issued by the European Data Protection Board (EDPB) in April 2024.
Some of the key takeaways from the guidance are set out below:
Consent Requirement
- Users’ consent must be obtained for the use of cookies.
- Users may convey their consent preferences through browser or other application settings where technically possible and effective.
- Consent is not required for the use of cookies required for carrying out transmission of communication over an electronic communications network or those strictly necessary for the provision of a service expressly requested by the user.
Valid Consent
- For consent to be valid, it must be freely granted and informed.
- The option to “continue browsing”, user click, scrolling, navigation, or any such similar behavior does not constitute valid forms of consent.
- Consent is deemed to be valid only where the user has made a clear, affirmative and unequivocal action.
- Consent must be given for each specific purpose to ensure granularity. It is recommended that a separate cookie should be used for each purpose.
Separate Consent to the Use of Cookies
- The acceptance of the use of cookies must be separate from the acceptance of the terms and conditions of the use of the website or service or the privacy policy of the website.
Transparency Requirement
- The information about cookies provided at the time of requesting the user’s consent must be sufficiently complete to allow users to understand its purpose and use.
- Information provided to the users should include definition and generic purpose of cookies, the types of cookies used and their use, identification of who uses the cookies, and information on how to accept, deny or revoke the consent for the use of cookies.
- The information must be provided to the users in a concise, transparent, and intelligible manner using clear and simple language.
- When providing information about third parties that use cookies, in order to comply with the conciseness requirement, different mechanisms may be used, such as buttons that display more specific information or pop-up text that appears when passing the mouse pointer over it such that the users can easily access the information if they wish
- The use of phrases that confuse or distort the clarity of the message should be avoided.
- Users should be informed, at least on a generic basis, of the cookies excluded from consent and notice requirements.
One of the ways to obtain consent to the use of cookies is to provide information in layers, so that the user is able to go to the aspects of the statement or notice that interest them the most. Providing layered information also ensures that all information is available in a single place to be easily accessed if they wish to consult the statement in its entirety.
- First Information Layer: containing essential information such as the identity of the website publisher, the purposes for which cookies will be used, information whether the cookies will be used only by the publisher or also by third parties, information on the type of data to be collected and used, the mode in which a user can accept, configure or reject to the use of cookies, and a clearly visible link taking the user to the second information layer or the cookie policy. This information should be provided to users before the installation of cookies in a format that is visible to users. The updated guide provides several valid examples of a first information layer.
- Second Information Layer: containing detailed information as required under Article 13 of the GDPR, such as the definition and generic function of cookies, information about the type of cookies that are used and their purpose, identification of who uses the cookies, information on how to accept, deny or revoke consent to the use of cookies or how to delete third party cookies from browser or system, data retention periods and where appropriate, information on the data transfers to third countries and when profiling involves decision-making automated with legal effects for the user or significantly affect users. Similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences. The cookie policy should be easily and permanently accessible to users.
Accessibility and Visibility of Cookies
The information about cookies must be easily accessible. The accessibility and visibility can be enhanced in several ways:
- by increasing the size of the link to the information or using a different font to distinguish that link from the normal text of the website;
- by positioning the link in areas that capture the users’ attention or where an average user expects to find it;
- by using descriptive and intuitive names for the link i.e., using “Cookie Policy” instead of a general expression like “Privacy Policy” to improve its accessibility and visibility; and
- by using alternative methods that emphasize the significance of the informative hyperlink, such as employing framing or underlining for the link, triggering a notice when the mouse pointer hovers over the link, or incorporating a clickable image that motivates exploration for additional information.
Easy Withdrawal of Consent
- The website publisher is obligated to provide users with information in its cookie policy regarding the procedures for withdrawing consent and deleting cookies.
- The publishers must allow users to withdraw consent to the use of cookies at any time.
- The method to withdraw cookies must be made as easy as the one used when obtaining consent.
- A button to reject all cookies must be installed.
- The 'reject all' button must be equally appealing, easily accessible, and prominently displayed, with a design that avoids potential misleading elements, such as difficult-to-read color contrasts, to ensure users are not led into unintentionally accepting cookies.
Cookie Walls
As a general rule, website publishers cannot make access to a service or its functionalities conditional on the user’s acceptance of the use of cookies. There may be certain cases where non-acceptance of the use of cookies prevents users’ further access to the website, totally or partially, provided that:
- the user must be adequately informed about it andalternative access to the service must be offered to the users without requiring them to accept the cookies;
- the services of both alternatives offered to the user must be genuinely equivalent; and
- the alternatives must be offered by the publisher and not by any other entity, and this alternative does not necessarily have to be free of charge.
Furthermore, the guidance refers to EDPB’s Opinion 8/2024 that highlights the need to comply with the requirements of GDPR, in particular those related to valid consent, while assessing the specificity of each case. EDPB adds that, in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent under GDPR if they confront users only with a binary choice between consenting to processing of personal data for behavioral advertising purposes and paying a fee (‘consent or pay’ model).
The offering of (only) a paid alternative to the service which includes processing for behavioral advertising purposes should not be the default way forward for controllers. When developing the alternative to the version of the service with behavioral advertising, large online platforms should consider providing data subjects with an ‘equivalent alternative’ that does not entail the payment of a fee, without behavioral advertising, e.g. with a form of advertising involving the processing of less (or no) personal data. This option derives from the principle of data minimization, which obliges data controllers to ensure that only the data necessary for advertising activity will be processed. The offer of this free alternative is a particularly important factor when assessing whether the consent granted for behavioral advertising would be considered valid and no detriment has occurred to the interested party.
Personalization Cookies
Personalization cookies, designed to save information and tailor user experiences, are exempted from the need for consent only when it is the user who actively chooses specific conditions. For instance, if a user selects a language by clicking on a country flag, chooses a currency for a transaction, or customizes the font size or color, consent exemption applies. In such instances, the cookies' lifespan doesn't necessarily have to be limited to the session, thus facilitating users from the inconvenience of having to personalize their settings with each visit. However, if there is an intention to use these cookies for additional purposes like statistics or marketing, obtaining user consent remains a requirement.
Consent of Minors
- Websites aimed at minors must use simple and clear language. In the case of children under 14 years of age, website publishers must make reasonable efforts to verify that consent for the processing of personal data is given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment. Additionally, the publisher must consider the risk associated with the use of cookies and implement the principle of data minimization.
- The website publishers must take additional precautions when using data to personalize the user experience without creating a profile of the minor. In the absence of the corresponding risk analysis according to the specific circumstances of the case.Additional precautions should be taken to verify that the consent was given or authorized by the holder of parental authority or guardianship.
- The system of the website publisher should detect incidents indicating inaccurate data entry, and in such cases, it should refrain from using cookies until the holder of parental authority or guardianship grants consent. This could include cases where future dates are specified, or the mentioned age of the parent/guardian is not reasonable. Website owners may employ reasonable verification methods, like questions or captchas, to ensure that parental consent is obtained rather than that of the minor.
- If consent for cookie usage is sought during processes like registration, additional information about parents or guardians may be requested for verification, such as their name, email address, or a copy of identification documents. This approach aims to uphold the importance of securing clear and explicit parental consent, particularly when dealing with minors' data in online services.
Renewal of Consent
The periodic renewal of consent at appropriate intervals is considered a best practice. The validity of consent provided by a user for the use of a certain cookie must not have a duration longer than 24 months. During this time, the selection made by the user must be preserved so that the user is not asked to provide consent every single time they visit the webpage in question unless the purpose of cookies is changed.
Liability
Website publishers and third parties managing the cookies can define their relationships through contractual arrangements. However, the administrative liability against non-compliance with the cookie consent requirements cannot be contractually transferred to the other party. Therefore, both website publishers and third parties acting as processors must fulfill their respective obligations.
How Securiti Can Help
Securiti’s Cookie Consent enables companies to build cookie consent banners in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management captures consent and automates revocation fulfillment.
Request a demo today to understand how Securiti can help you comply with the consent requirements of GDPR, the e-Privacy Directive, the AEPD’s guidance on the use of cookies, and a whole host of other global privacy laws and regulations with ease.
