What does the Guide address?
To whom does the Guide apply?
Information society service providers who install, on websites or in mobile applications, cookies or similar technologies the use of which requires users' informed consent. Within the category of cookies that require consent are those that are not strictly necessary for the purposes of allowing communication between the user and the network or providing a service required by the user. For instance, first-party or third-party analytical or statistical cookies and behavioural advertising cookies are subject to consent. With respect to cookies exempt from this obligation (e.g. technical cookies), the AEPD recommends reporting on their use.
How should the transparency principle be complied with?
Furthermore, the AEPD points out that:
- information should be brief and succinct "to avoid information overload"; and
How should the obligation to obtain informed consent be fulfilled?
The main novelty of the Guide is that, unlike those published by other European authorities, the option to "continue browsing" is accepted as a valid formula to obtain users' unambiguous consent in some cases. The AEPD points out that this option may be more appropriate for registered users and warns that it may lead to greater difficulties in proving the collection of consent and that the validity of this system will depend, to a large extent, on the quality and accessibility of the information provided and the type of action from which consent is inferred (e.g. navigating to a different section of the website, closing the first-layer notice or clicking on some piece of the service's content). Likewise, procedures must be incorporated so that refusing consent is as simple as giving it. For this reason, a button to reject all cookies must be enabled in the cookie configuration panel.
However, the formula for obtaining unambiguous consent (of the "continue browsing" type) will not be valid in those cases in which cookies are used to carry out processing that requires explicit consent. In particular, an "I accept" button should be included in the cookie banner in cases in which special categories of personal data are processed, automated individual decisions are made with legal effects on users (the legal basis of which is consent), or international data transfers are carried out and the legal basis for doing so is consent.
Other issues to consider
The Guide points out other issues that could be relevant, including the following:
- Cookie configuration panel. The information about the first-layer cookies must be completed with a system or configuration panel in which the user can choose whether or not to accept cookies in a granular form, or a link that leads to that system or panel. The link or button to manage cookie preferences must take the user directly to the configuration panel, which may be integrated into the second information layer. The Guide states that, in order to facilitate the selection of cookies by the user, two buttons may be implemented in that panel: one to accept all cookies and another to reject all cookies, with this option being more strongly recommended the greater the number of different cookies used. If the "continue browsing" method is used as a means of obtaining consent, a button for rejecting all cookies must be included in the panel, as indicated above, in order to respect the requirement that it should be as easy to withdraw consent as it is to give it.
- Temporary duration of cookies. The AEPD recommends the preferential use of session cookies, instead of persistent cookies. If it is necessary to use persistent cookies, the AEPD indicates that their duration should be kept to the minimum necessary to achieve the purpose of their use.
- Consent update. The Guide highlights, as good practice, that the validity of consent for the use of a given cookie should not exceed two years.
- Websites aimed at children under 14. Mechanisms should be implemented to verify that consent to the processing of personal data is given by the person holding parental authority and comply with the principle of data minimisation.
- Possibility of denying access to the service in the case of the rejection of cookies. The AEPD recognises the possibility of denying access to an information society service if cookies are not accepted. However, such access may not be restricted in cases in which the refusal prevents the user from exercising a legally recognised right, for example if access to that website is the only means provided to the user to exercise that right.
- Possible impact of the (EU) Regulation on privacy and electronic communications. It should be kept in mind that the Guide could be amended when this Regulation is published; it is currently still at the proposal stage.