In view of the recent Guidelines 3/2022 on dark patterns of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) has decided to update its guidance on cookies. Companies will have a period of 6 months (until January 11, 2024) to implement the new obligations.

The most relevant updates are:

With respect to the cookie banner:

a) In the cookie banner, a “reject all” button or similar mechanism shall appear.

b) The “reject all” button shall not be less appealing, hidden, prominent, or with a design (e.g. difficult to read colour contrast) that could mislead users into accepting cookies.

This is an official example of cookie banner of the AEPD (automatically translated into English by us):

With respect to the nature of personalization cookies:

Personalization cookies (i.e. those which allow to remember information so that users may access the service under certain conditions that distinguish their experience from that of other users) will only be consent-exempted where it is the user the one who chooses such conditions (e.g. he / she chooses a language by clicking on the corresponding country flag, the currency for the corresponding transaction or the size or colour of font).

In such cases the lifespan of the cookies does not need to be only for the session, as it could be annoying for the user to personalize his / her each time he / she visits the website.

In case these cookies want to be used for other purposes (e.g. statistics, marketing, etc.), consent will still be required.

Cookie paywalls (or “Pay and Okey” mechanism):

The AEPD joins the queue of other EU data protection authorities (such as the Austrian one) and seems to admit (very subtly) paywalls.

Specifically, the AEPD modifies its previous guidelines to just include that highlighted in the following sentence: “There may be certain cases in which not accepting the use of cookies prevents access to the website or the total or partial use of the service, provided that the user is adequately informed and an alternative, not necessarily free of charge, access to the service is offered without the need to accept the use of cookies”.

Just by that, the AEPD expressly accepts that such alternative of access (if the user does not want to grant consent) may involve a payment (or in general an economic consideration).

Although the AEPD maintains the EDPB criterion that states that the alternative shall be genuinely similar to the option involving consent for cookies and provided by the same entity, it does not clarify / impose any further limitations as other EU data protection authorities have (e.g. the price for the payment alternative should be reasonable and fair, public authorities should not be able to use this mechanism, etc.).

However, controllers shall be cautious and be in a position to demonstrate that both options are reasonable and that the amount or conditions of payment are not too onerous so users are “forced” to grant consent.

Next recommended steps

• Review consent mechanism and implement the necessary changes before June 11 2024.
• Assess whether your personalization cookies require consent or not.
• In case the access to the website / app is subject to consent or monetary consideration, an assessment of whether consent is freely granted shall be carried out.