Cookie guide: update your notice before October 31

The Spanish Data Protection Agency (AEPD) has made an update on the use of cookies, and the new mandatory criteria must be implemented before October 31 of this year. But what does this update consist of and what changes should you make to your website?

The starting point: data on the internet

Users and organizations are well aware of the importance of privacy and data protection, both on the internet and in other services.

In the digital environment, browsing data and user preferences are valuable information for organizations that offer services on the Internet. For this reason, different entities seek to make people aware of how and for what purpose their data is used.

In the case of Spain, the AEPD acts as a supervisor and guarantor that organizations that are on the internet respect the privacy of users, as well as educating people to make them aware of the role that their data plays in the digital sphere.

In this context, in July of this year, the AEPD published an update to the guide on the use of Cookies, to adapt to the guidelines of the European Data Protection Committee (CEPD). This update considers two important changes that websites must comply with in terms of transparency and the obligation to consent to the use of cookies.

“Keep browsing” is not a valid consent

Previously, scrolling through a page of a website was considered synonymous with accepting the cookie policy. So was clicking on content or closing the notice that appeared when we entered. However, with the new update, this will no longer be a valid option for giving consent.

Why? The European Committee considers that this form of acceptance may be difficult to distinguish between other interactions that the user may carry out, so they do not understand it as an unequivocal consent.

It is now necessary for you to make the information on the use of cookies visible and to offer an express acceptance option, for example, through “I accept” or “consent”.

It is important to note that now it will no longer be accepted as consent for the user to continue browsing the web or to omit cookies.

Cookie walls are no longer accepted

Previously, if a user rejected cookies, they could find themselves with a “wall of cookies” that consisted of the fact that if they did not accept them, they could not access services and functions of the web. However, with the new update to the cookie guide, this will no longer be accepted and an alternative to consent must be offered.

This is very important to consider for those websites where they currently deny the right to access the website, since as of October 31 it would go against this data protection standard, by not giving the user the space to take free acceptance.

If an alternative is offered to the user who rejects cookies, this must be equivalent to what is offered if cookies were accepted and must be executed by the same site, and not by an external entity.

Within the rule, there are some exceptions in which access could be denied if cookies are not accepted, but for this the user must be informed and other alternatives offered. To see these specific cases, we recommend that you review the guide to the use of cookies.

Who does this rule apply to?

Article 22 of the Information Society Services and Electronic Commerce Act (LSSI), a standard that sets the guidelines for data protection in Europe, states that this standard applies to all those who use cookies or other similar technologies to store and retrieve other people's data.

It is important to note that each site must identify the cookies they use (their own or those of third parties, session or persistent), in order to determine whether or not they are within the application of the standard.

What happens if you don't adapt your website to the guide update?

Websites that do not modify their use of cookies before October 31, 2020, may risk penalties from the AEPD.

This is because if it is investigated and determined that there is a processing of user data, without complying with the regulations, it may be a violation of the law.

When is data processing considered to exist?

Every time a user is identifiable, either by name or email when registered, it is considered that a cookie is being used to process their data. This is also true, when an identifier is used to help distinguish between one person and another, and each one can be tracked (for example, with advertising).

On the other hand, if a website does not have the means or conditions to identify a user, it will be exempt from fulfilling the obligations. 

Types of cookies that are exempt from the LSSI and that do not require reporting or obtaining consent (according to the Guide on the Use of AEPD Cookies):

• They allow communication between the user's equipment and the network
• They provide a service requested by the user
• “User input” cookies (for example, filling in information in forms)
• Authentication or user identification cookies (login)
• User security cookies (cookies that detect erroneous attempts to connect to a site)
• Multimedia player session cookies
• Session cookies for load balancing
• Interface customization cookies
• Complementary cookies for exchanging social content (only for those users who decided to keep the session open)

Now that you are aware of the latest developments in Spanish data protection regulations, Remember that you must apply them no later than October 31, 2020, since the update was published in July 2020, the month in which a three-month transition period began to apply the adaptation.

How can we help you?

If you need more information, do not hesitate to contact us.