We examine the impact of the Cookies Guide published by the AEPD to clarify its usage and authorisation policy

The Spanish Data Protection Agency (AEPD) has published the long-awaited new Cookie Guideline to clarify and provide some more light on this controversial subject. At first sight, it seems that not everyone is happy with it.

Cookies are small text files that websites can use to make the user experience more efficient. From the outset, it is worth noting that this guide was launched just a few months after the publication of the E-Privacy Regulation, which aims to increase security of digital services and the trust that citizens place in them. We will see if the Spanish Data Protection Agency rectifies or launches an update of its new guide once this new regulatory text to be applied in the European Union has been published.

Accordingly, the controversy comes from the consent and installation of cookies, which in October 2019 was fuelled by the publication of two resolutions that were quite surprising within the privacy and data protection sector.

We are talking about the decisions of the Court of Justice of the European Union (CJEU) in a preliminary ruling and another of the Spanish Data Protection Agency, which dispel any doubt about the invalidity of the formula “if you continue to browse, we consider that you accept the use of cookies” and required consent as a basis of legitimacy for the use of cookies, an issue which, as we shall see below, in this new cookie guide from the AEPD is not as clear as was predicted after reading and analysing the aforementioned decisions.
With regard to the new AEPD cookie guide, which is for guidance, if we were to make a crossover analysis with the old version published in April 2013, the most important thing to note would be the following:

Information

Communication must be concise, transparent and intelligible; clear and simple language should be used, avoiding using phrases that lead to confusion; and the information must be easily accessible. Thus, the AEPD is once again betting on the layered information model.
The use of cookies guide points out that the first layer of information must always identify the publisher responsible for the website, determine the purposes for which the cookies will be used, as well as provide information on whether they are their own or also those of third parties associated with them, among other matters.
In this sense, as already pointed out by the AEPD in its PS/00300/2019 procedure, a selection panel must be provided where a mechanism or button can be enabled to reject all cookies, another to enable all cookies or do it in a granular way in order to manage preferences. In this regard, it is considered that the information offered on the tools provided by various browsers to set cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing preferences to be configured in a granular or selective manner, an important point to take into account when updating the information clauses on cookies on the web pages.

Consent

The new guide to cookies has undoubtedly gained prominence on this point, as it describes different ways to give consent depending on the type of cookie, the purpose of the cookie and whether it is your own or a third party’s.

The AEPD provides in its guidance that, under Article 4 of the GDPR, valid consent must be given for each specific purpose by means of an affirmative action clearly performed by the user with full awareness of the consequences of such action.

And it is in this area where the controversy arose when affirming the AEPD that the formula “continue browsing” can be considered an option to obtain consent in a valid way.
In order for the action of continuing navigation to be considered valid consent, the notice must be inserted in a clearly visible place, so that by its shape, colour, size or location there can be assurance that the notice has not gone unnoticed by the user. Equally, it will be necessary, for the consent to be considered granted, that the user performs an action that can be qualified as a clear affirmative action.

The AEPD establishes in its own guide that it may be considered a clear affirmative action to navigate to a different section of the website (other than the second layer of information on cookies or the privacy policy), slide the scroll bar, close the warning in the first layer or click on some content of the service, without the mere fact of remaining on the screen, moving the mouse or pressing a key on the keyboard being considered an acceptance.
As for the websites where the target user is under fourteen years of age, those responsible for those websites will be required to, in accordance with the principle of proactive responsibility, make an additional effort to verify that the user’s consent is given by their parents or legal guardians.

Finally and also in relation to consent, another aspect of this guide, which has an important practical version in terms of updating and adapting cookies policies, is the use of CMP’s (Consent Management Platform). The CMPs allow you to quickly obtain consent from the users/visitors of the website that have authorised the person in charge of it so that they can use them and for what they can use them for. In addition, this platform is responsible for transmitting that consent to all the collaborators of the person responsible for inserting cookies on their website, so it is very useful.

Given this small analysis, we predict a great deal of doubt regarding the updating of website cookie policies, in accordance with the latest indications given by the AEPD in the aforementioned guide, and in my humble opinion and pulling from the recurring baking analogy, this cookie guide should have been kept in the oven for a few more minutes. Perhaps its publication has been a little hasty, driven by the guides published by their counterpart data protection control authorities in the United Kingdom, Germany and France.

In the spirit of standardising the GDPR and the E-Privacy Regulation, at least it is not alone that on this controversial issue of cookies, on which each country makes recommendations, they can be contradictory in certain cases and no common agreement can be reached on them.

We are awaiting the publication of the E-Privacy Regulation which is expected in the first quarter of 2020. We will continue to be alert to any new developments in this area which may affect the correct adaptation of cookie policies in order to keep you informed and help our customers adapt their websites to be compliant with current regulations on privacy and data protection.