The Spanish Data Protection Agency has published on 11 July 2023 the Updated Guide on the Use of Cookies.
Auratech will analyse the new changes included in it, with the aim of informing the user about the importance of using cookies in accordance with the Law and this new guide.
In this article we will discuss...
1. Accept or Reject cookies
These are the new precepts added by the Spanish Data Protection Agency on accepting or rejecting cookies:
There must be a button (or equivalent mechanism) of “Reject” or “Reject cookies” whenever there is an “Accept” button, with the aim of rejecting the use of cookies (except those exempt from obtaining informed consent).
Regarding the “Accept” or “Reject” or “yes” and “no” actions, they should appear in a prominent location and format. Both actions should be at the same level, excluding the risk of making it more complicated to reject cookies than to accept them.
The colour of the text and buttons should not mislead the user into giving unintended consent.
The user must not be given the impression that he or she must accept cookies in order to browse the website.
It is not permitted to clearly push the user to accept cookies. Neither the colour nor the buttons (or equivalent mechanisms) should be misleading for users, i.e. no unintended consent should be implied. Therefore, an option to reject cookies that consists of a button with text that does not contrast with the colour of the button, will prevent the option to “reject cookies” from being clearly read, preventing the user from clearly distinguishing this option.
Example of a correct cookie banner:
Example of an incorrect cookie banner:
2. Consent
For the use of non-excepted cookies, the user’s consent is required in all cases. This consent shall be obtained by clicking on sections such as “I consent”, “I accept”, etc.
For this consent to be valid, it must have been given freely and in an informed manner by the user.
The new provision of the updated Cookie Guide published on 11 July 2023 states that, in any case, the user may refuse to accept cookies.
Example of a correct consent:
3. Personalisation cookies
These cookies allow information to be remembered so that the user can access the service with certain characteristics that may differentiate their experience from that of other users.
In the event that it is the user himself who makes decisions about them (language of the website, the type of currency used to pay, etc.), these are technical cookies that do not require consent, and cannot be used for other purposes.
If it is the publisher who makes such decisions about personalisation cookies on the basis of information obtained from the user, the choice to accept or reject them will be required. The publisher will not be able to use them for other purposes.
In addition, it is therefore vitally important that the user knows which cookies are exceptions. These are excluded from the scope of application of art. 22.2 of the Law on Information Society Services (LSSI), and it will not be necessary to inform or obtain consent for their use.
In this regard, GT29, in its Opinion 4/201211 , interpreted that exempted cookies would include those that have the following purposes.
PURPOSES
- “User input” cookies (Session and user input cookies are typically used to track user actions when filling in online forms on various pages, or as a shopping basket to track items that the user has selected by clicking a button).
- User authentication or identification cookies (session only).
- User security cookies (e.g., cookies used to detect repeated, erroneous attempts to log in to a website).
- Media player session cookies.
- Session cookies for load balancing.
- User interface customisation cookies.
- Certain plug-in cookies for sharing social content (the exception only applies to users who have chosen to keep their session open).
However, it will be necessary to inform and obtain consent for the use of any other type of cookies, whether first-party or third-party, session or persistent, etc.
4. Cookie walls
The so-called “cookie walls”, which do not offer an alternative to consent, may not be used.
There could be certain cases in which the non-acceptance of the use of cookies prevents access to the website, or the total or partial use of the service, provided that the user is adequately informed of this and an alternative, not necessarily cost-free alternative is offered, of access to the service without the need to accept the use of cookies.
The not necessarily free alternative is another of the main novelties of the guide.
According to the CEPD Guidelines 05/2020 on consent, the services of both alternatives must be genuinely equivalent, and it is not valid if the equivalent service is offered by an entity outside the publisher.
5. Implementation deadline
The Updated Guide on the Use of Cookies established by the Spanish Data Protection Agency must be implemented by 11 January 2024 at the latest.
This opens the possibility of a transitional period of 6 months for the adaptation of these criteria.
Leave a Reply
Want to join the discussion?Feel free to contribute!