Spanish data regulator changes approach and requires a “reject” button in cookie banners, Ceyhun Pehlivan, Elena Valín

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

The Spanish Data Protection Agency (AEPD) has recently updated its cookie guidance, now requiring a "reject" button in the first layer of cookie banners. This shift in approach aligns the AEPD with other EU supervisory authorities, such as the French CNIL and the Belgian APD.

Context

To date, the AEPD has not required a "reject" button in the first layer of information, i.e. the cookie banner. The option to reject the installation of cookies could until now be provided in a second layer of information or cookie settings.

In contrast to the AEPD, the majority of EU supervisory authorities consider a cookie banner without a "reject" option alongside an “accept” button to infringe the ePrivacy Directive. This is also reflected in the report issued by the European Data Protection Board (EDPB)’s Cookie Banner Taskforce on 17 January 2023.

This report reflects the common denominators of EU supervisory authorities when handling the complaints filed by Mr Schrems' non-profit organisation (NOYB) against several entities in relation to cookies. As discussed in a previous post, one of these entities was the Royal Spanish Academy (Real Academia Española), Spain's official royal institution governing the Spanish language. The AEPD rejected this complaint.

"Reject" button on the first layer

The AEPD has updated its guidance to align it with the Cookie Banner Taskforce report and the EDPB's Guidelines 03/2022 on deceptive patterns adopted in February 2023. With this change, the AEPD adopts a stricter criterion, requiring the inclusion of a "reject" button in cookie banners.

The AEPD’s updated guidance sets forth that the first layer of information must have an easily visible button to consent to the use of all cookies, and another button to reject them.

It also provides examples of adequate cookie banners, deleting previous examples that only included an "accept" and "manage” button for cookies, where the user had to access a cookie settings panel to reject cookies. This example has been replaced by a new example where the options to “accept all” and “reject all” are directly included in the cookie banner.

Further, the guidance sets out that both options must be presented to the user at the same time, at the same level, and with the same visibility. For instance, the colour or contrast of the text and buttons must not lead users to involuntary consent.

Personalisation cookies

Another change introduced by the AEPD is related to “personalisation cookies”. When users choose their preferred options on a website, e.g. choosing the website’s language or their preferred currency, these cookies are generally considered technical and do not require consent.

However, AEPD considers that when it is the website editor who makes decisions about personalisation cookies based on information obtained from the user, the user must be informed and offered the option to accept or reject them.

In any case, the website editor cannot use these cookies for other purposes.

Cookie walls

Regarding cookie walls, the previous guidance already established that, for consent to be considered freely given, access to the service and its functionalities cannot not be conditional on the user consenting to the use of cookies.

Therefore, there could be cases where not accepting the use of cookies would prevent access to the website or the service, as long as the user is informed and is offered an alternative to access the service without the need to accept the use of cookies. The updated guidance of AEPD clarifies that this alternative does not necessarily have to be free of charge.

Looking ahead

Many organisations that followed the AEPD's previous criteria until now will now have to adapt their cookie banners to comply with the AEPD’s updated guidance. Such changes should be made no later than 11 January 2024.

If you would like to know more about the AEPD’s position on cookies, let us know!

{

[...] a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.

https://edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf