This update was quite expected since the publication of the DPA’s 'Cookie' Guide in No-vember 2019 generated some controversy among other DPAs as well as the experts at large. Indeed, the option to continue browsing as a way of expressing the user's consent, as it was recognized in that Guide, was not well regarded by other regulators given the requirement of express consent in GDPR (General Data Protection Regulation). This was also the position of the EDPB.
Regarding the "cookie walls", the Board specified that for consent to be considered freely granted, access to the service and its functionalities should not be conditioned on the user consenting to the use of cookies ("cookie wall" ). For this reason, the new Guide establishes that the so-called "cookie walls" that do not offer an alternative to consent may not be used, in particular, in those cases in which the denial of access would prevent the exercise of a legally recognized right to the user as, for example, where access to a website is the only means provided to the user to exercise this right. The AEPD indicates that, however, “there may be certain cases in which the non-acceptance of the use of cookies prevents ac-cess to the website or the total or partial use of the service, provided that the user is ade-quately informed about this and offers an alternative to access the service without having to accept the use of cookies. As established in the 05/2020 Guidelines on the consent of the EDPB, the services of both alternatives must be genuinely equivalent. Likewise, it will also not be valid that the equivalent service is offered by an entity other than the publisher ".
When the EDPB in its plenary session in May published such Guidelines, the AEPD already announced changes ahead.
The new AEPD’s Guide Guide on the use of “cookies”of has been published in its web-site. See: www.aepd.es/sites/default/files/2020-07/guia-cookies.pdf
The new criteria stated must be implemented no later than October 31 of this year, thus it establishes a transitional period of three months for the Spanish organizations to adapt.
Despite the fact that with the approval in the future of the‘ Eprivacy ’Regulation, still pend-ing, it is possible that it will alter the‘ cookie ’regulations again in some way, it is of the ut-most importance that all organizations using „cookies“ adapt as soon as posible to this new development, in particular, as the sanctions imposed by the Spanish DPA for infringing the „cookies“ regime have been quite high so far. A € 30.000 fine has been imposed on the so-cial media Twitter and the same amount has been imposed on the aviation company Vueling.
Article provided by: Belén Arribas (Spain)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)