Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Spanish Data Protection Agency has updated its guidance on cookies. There are relevant changes such as (i) the new requirements for the design of the cookie banner and (ii) the criteria for the installation of personalization cookies without consent. Additionally (very interesting), the authority has expressly admitted that, under certain circumstances, the website or app can request a payment from a user if he/she does not accept the use of cookies (also known as cookie paywalls or as “Pay or Okay” mechanism).
In view of the recent Guidelines 3/2022 on dark patterns of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) has decided to update its guidance on cookies. Companies will have a period of 6 months (until January 11, 2024) to implement the new obligations.
The most relevant updates are:
a) In the cookie banner, a “reject all” button or similar mechanism shall appear.
b) The “reject all” button shall not be less appealing, hidden, prominent, or with a design (e.g. difficult to read colour contrast) that could mislead users into accepting cookies.
This is an official example of cookie banner of the AEPD (automatically translated into English by us):
Personalization cookies (i.e. those which allow to remember information so that users may access the service under certain conditions that distinguish their experience from that of other users) will only be consent-exempted where it is the user the one who chooses such conditions (e.g. he / she chooses a language by clicking on the corresponding country flag, the currency for the corresponding transaction or the size or colour of font).
In such cases the lifespan of the cookies does not need to be only for the session, as it could be annoying for the user to personalize his / her each time he / she visits the website.
In case these cookies want to be used for other purposes (e.g. statistics, marketing, etc.), consent will still be required.
The AEPD joins the queue of other EU data protection authorities (such as the Austrian one) and seems to admit (very subtly) paywalls.
Specifically, the AEPD modifies its previous guidelines to just include that highlighted in the following sentence: “There may be certain cases in which not accepting the use of cookies prevents access to the website or the total or partial use of the service, provided that the user is adequately informed and an alternative, not necessarily free of charge, access to the service is offered without the need to accept the use of cookies”.
Just by that, the AEPD expressly accepts that such alternative of access (if the user does not want to grant consent) may involve a payment (or in general an economic consideration).
Although the AEPD maintains the EDPB criterion that states that the alternative shall be genuinely similar to the option involving consent for cookies and provided by the same entity, it does not clarify / impose any further limitations as other EU data protection authorities have (e.g. the price for the payment alternative should be reasonable and fair, public authorities should not be able to use this mechanism, etc.).
However, controllers shall be cautious and be in a position to demonstrate that both options are reasonable and that the amount or conditions of payment are not too onerous so users are “forced” to grant consent.
Authored by Juan Ramón Robles and Clara Lázaro Hernández.