What are the main updates contained in the latest version of the Guide?
This recent update aligns the Spanish DPA’s position to that of the European Data Protection Board’s (EPBD) Guidelines 05/2020 of May 4 2020 regarding consent, namely on two main aspects:
- The lack of validity of the "continue browsing" option for collecting the users’ consent and;
- The prohibition of the so-called "cookie walls".
1. "Continue browsing" does not imply consent
The latest update of the Guide requires the user to perform an undoubtedly positive action, in order for consent to be validly granted. In this regard, the AEPD recommends companies to include two different buttons on websites, by which the user can accept, reject/set up cookies. Otherwise, it is suggested to complete the information appearing in the first layer with a configuration panel (or a link to it) in which the user can accept or reject the cookies in a granular manner. In this sense, it is important to note that when providing information through layers, the first layer must contain the most essential information to be displayed when users access the webpage, such as the purpose of the cookies.
Notwithstanding the foregoing, the AEPD expressly establishes that it might be valid to obtain consent by users through conducts other than by electing an acceptance box, provided that such actions offer enough certainty that informed and unequivocal consent is given. In addition, the performance of such conduct by the user must be demonstrable.
On the contrary, after the publication of the latest version in July 2020, it can no longer be considered that merely entering into a website, scrolling down or browsing, are methods of validly and unequivocally granting consent by users. Indeed, following the clarifications made by the AEPD, these actions cannot under any circumstances be understood as affirmative actions, since they can be confused with other interactions of the user. As a result, the conduct of the user of “continue browsing” is not a means to voluntary and unequivocally give consent.
2. Prohibition of "cookie walls"
It is important to note, that prior to the adaptation of the Guide, the AEPD allowed the use of "cookie walls" with almost no restrictions. In fact, the only case in which the use of cookie walls was prohibited, was when the denial of access to the website hindered the only means provided to exercise a legally recognized right of the user.
What are the penalties for not complying with the Guide?
In the Spanish legislative system, article 22.2 of the Act 34/2002 on Information Society Services and Electronic Commerce, legitimizes companies to install cookies. However, it sets out the obligation to inform users in advance and to obtain their valid consent. As a consequence of this legal regulation, the AEPD is able of initiating sanction procedures against companies who do not comply with these obligations.
In this context, it should be noted that sanctions for cookie infringement, as regulated in Act 34/2002, range from 30.000 euros for minor infringements to 600.000 euros for very serious offenses. In order to determine the severity of the sanctions, the AEPD takes into account factors such as the intentionality, the recurrence of the infringer or the period during which the infringement has been committed. Moreover, the Spanish data protection authority moderates the sanctions by considering mitigating circumstances, such as, diligently regularizing the situation, the acknowledgement of guilt by the offender or, in a scenario of merger by absorption, when the sanction is prior to the absorption process and it is not attributable to the absorbing entity.
By way of example, one of the latest sanctions imposed by the AEPD was enforced, in June 2020, against a well-known social network for installing "unnecessary cookies" without informing and correctly obtaining consent on the part of users. The sanction procedure, which was initiated following an individual’s complaint, ended with the imposition of a fine of 30.000 euros to the company. Likewise, in January 2019, the AEPD imposed a fine of 10.000 euros to the Spanish subsidiary of a multinational company for installing cookies without previously obtaining the informed consent of users. In the latter case, the Spanish Data Protection authority ended up reducing the amount of the sanction by taking into consideration mitigating factors.