Make sure your website won’t be subject to a fine of up to 300.000 euros! Since the 11th of January updates of the cookies consent data usage came into effect in Spain and France.
To align with the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and regulations set by the AEPD, publishers need to adhere to specific guidelines, particularly concerning cookie usage. Non-compliance can result in fines.
In light of new directives from the European Data Protection Board, the AEPD has revised its cookie consent requirements. These changes were announced in July 2023 and, now, are affecting any website receiving traffic from Spain and France.
To comply with these updated data privacy regulations, publishers should focus on the following aspects:
First Layer of the Consent Banner:
- Display the website publisher’s name.
- Clarify the purpose of cookies consent data usage.
- Indicate whether cookies are first-party (publisher’s) or third-party.
- Provide generic information about the data types collected for user profiling.
- Include options for users to accept, configure, or decline cookies.
- The banner should feature clearly labeled buttons for accepting or rejecting cookies and accessing more detailed settings or information.
Second Layer of the Consent Banner:
- This layer can include a settings panel for users to save their cookie preferences.
- It’s crucial to avoid pre-ticked options favoring cookie acceptance.
- Offer granularity in cookie selection, grouped by purpose and, optionally, by third party.
- Clearly identify third-party cookies by name or brand.
Consent Data Collection Methods:
- Clearly indicate the scope of consent (specific to the webpage or extending to others).
- Present options to accept or refuse cookies with equal prominence and accessibility.
- Inactivity should not be construed as consent; clear positive action is required.
Cookie Duration:
- Limit cookie duration to the minimum necessary for their intended purpose.
Use of Cookie Walls:
- Cookie walls are permissible if users are well-informed and provided with an alternative to access services without accepting cookies. The alternative service should be equivalent and provided by the same publisher.
Can scrolling be considered as giving cookie consent?
Scrolling on a webpage is not considered a valid form of giving affirmative consent according to the Spanish Data Protection Authority (AEPD).
What happens if a user doesn’t click “Accept” for cookies?
If a user doesn’t explicitly click the “Accept” button for cookies, it implies that they have not consented to the use of cookies. Merely continuing to browse the website does not equate to giving consent.
Is it necessary to have a “Reject” button in the cookie consent banner?
According to the AEPD, it is mandatory to include both the “Accept” and “Reject” buttons in cookie consent banners. These buttons should be equally visible and accessible and positioned on the same level. The AEPD emphasizes that rejecting cookies should not be more complicated than accepting them.
Should cookies be blocked until consent is given?
Yes, barring certain exemptions, cookies should remain blocked until explicit consent is obtained from the user.
Do I need to provide proof of consent under GDPR guidelines?
The AEPD hasn’t explicitly specified whether technical cookies serve as sufficient proof of consent under GDPR. Unlike some other jurisdictions, it may be necessary to maintain records of consent rather than simply relying on technical cookies as proof.
As a publisher: What do you need to do?
Are you a Refinery89 publisher and your site is already using the consentmanager.net CMP? You have nothing to worry about since you already comply with all the above requirements.
If you are using another CMP platform, reach out, and we will help you set up the Consentmanager.net CMP at no extra cost.