The deadline for adapting the use of cookies has expired
The deadline for implementing the necessary changes for the use of cookies, according to the criteria set out in the Guide on the Use of Cookies, has expired, after a transitional period of six months.
On 11 July 2023, the Spanish Data Protection Agency (AEPD) published a new version of its Guide on the Use of Cookies, with the aim of adapting it to the Guidelines 03/2022 of the European Data Protection Board (EDPB) on deceptive design patterns.
These Guidelines 03/2022 set out the best practice recommendations for both website, software or platform owners and users on how to detect and avoid such deceptive patterns that breach the requirements of the General Data Protection Regulation (GDPR).
As stated in these Guidelines 03/2022 “deceptive design patterns aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices. Data protection authorities are responsible for sanctioning the use of deceptive design patterns if these breach the GDPR requirements”.
For this reason, the AEPD has incorporated the CEDP’s recommendations into its latest Guide version that includes the following new criteria, among others:
- The actions to accept or reject cookies must be presented in a prominent place and format, both actions must be at the same level, and it must not be more complicated to reject than to accept them. Therefore, banners with only the “ACCEPT” and “CONFIGURE COOKIES” options are no longer valid, and the “REJECT ALL COOKIES” button should be clearly visible and accessible, not hidden or difficult to use.
- The cookie policy must be clear and transparent about the use of cookies on the website, software or platform. The information contained in the policy should be clear and concise, using language simple and understandable to users.
- As regards personalisation cookies, if the user decides to use them, it is not necessary to ask for his consent, provided that the data are not used for other purposes (for example, if the user chooses the language of the website by clicking on the appropriate option).
Consent must be obtained for the use of cookies for other purposes, such as personalising advertising content or profiling users.
These new criteria, which ensure greater transparency in the obligations of the website, software or platform owner using cookies, represent a further step forward in the field of personal data protection and privacy. Therefore, the door is now open to the application of sanctions and fines for non-compliance with the deadline set by the AEPD for compliance with these criteria.
Author: Melanie Díaz
Molins Defensa Penal, Department of Compliance.