In accordance with the latest decision by the European Court of Justice ("ECJ") in the case of Planet49 (see our related update), the AEPD guidelines require website operators to obtain active and informed consent from their users prior to the placement of cookies on their terminal devices. Cookies, which are necessary for the service requested by the users and technical cookies enabling communication between the user's terminal and the network, are exempted from requiring consent. However, the AEPD recommends providing users with general information as to the use of such cookies.
Unlike the guidelines issued by its United Kingdom and French Counterparts (ICO and CNIL respectively), the AEPD explicitly recognizes, in certain circumstances, the "continue browsing" mechanism as valid active consent as long as the user has been given adequate notice. According to the AEPD, the notice must be displayed in a clear and visible place, taking into account its shape, color, size and location to ensure the notice has not gone unnoticed and to overcome the unambiguous consent requirement raised by the ECJ. Actions, such as the use of a scroll bar, clicking on links in the website and swiping the initial screen, may be considered valid and affirmative consent if the relevant information was provided to users.
The guidelines also analyze the use of Consent Management Platforms, minor's consent, the option of denying access where consent was not granted and the need for renewal of consent. The AEPD requires that consents be renewed at least once in every 24 months.