Any company or organisation that runs a website for its products or services also needs to take into account the use of cookies on its website. Through the use of cookies, companies and organisations obtain user-related data that can subsequently be used for the provision of specific services or products, to serve advertising or as a basis for the development of improved or new products and services on free occasions.
Pursuant to the guidelines of the EDPB, the AEPD (Spanish Data Protection Authority) has recently issued new guidelines which entail some changes regarding the use of cookies on a website. We will briefly outline them for you in this guide.
In essence, obtaining consent has become central to the use of cookies. It is extremely important that this is obtained lawfully. The guidelines state that consent must be given freely and in a clear and affirmative manner. In concrete terms, this means that from the 31st October 2020, it will be explicitly prohibited for websites to use cookie walls. A cookie wall ensures that website visitors cannot get access to the website before they accept the cookies.
AEPD: "Consent must be freely given. Access to functions on websites must not be made conditional on the consent of the user".
In addition, the guidelines also put an end to continued browsing as a given consent. What does this mean? Because of this, scrolling or swiping through a website will no longer be accepted as consent, as there is no clear and affirmative consent (opt-in).
These new guidelines make the need for a good cookie consent solution all the more important. That's where we/Openli can help you. With our solution your cookies will always be used according to law.
Below you can find some more in-depth information about cookies and what you should be aware of.
Cookies allow the storage in the user's device of amounts of data ranging from a few kilobytes to several megabytes.
Cookies are then sorted according to a number of categories. However, it is necessary to note that the same cookie may be included in more than one category. Depending on which entity manages the computer or domain from which cookies are sent and treats the data obtained, we can distinguish:
In the event that cookies are served from a computer or domain managed by the publisher itself, but the information collected through them is managed by a third party, they cannot be considered as their own cookies if the third party uses them for their own purposes.
There are many purposes for the use of cookies. Depending on the purpose for which the data obtained through cookies are treated, some of the purposes may be:
Depending on the period of time they remain activated on the device we can distinguish:
The legal obligations imposed by the legislation are two, namely: the obligation of transparency and the obligation to obtain consent. The information about cookies provided at the time of requesting consent must be sufficiently complete to allow users to understand their purposes and the use that will be given to them.
The following information should be included in the cookie policy:
Information or communication should be concise and transparent. The lower the technical level of the average user of that website, the simpler the language used (avoiding understandable technical terminology) and the more complete the information offered, based on the most basic aspects of what cookies are and how they work. In any case, this lower technical level should not be an obstacle to make the information provided as clear as possible, avoiding reloading the information with unnecessary details that make it difficult to read.
On the contrary, if the users to which the website is directed has a high level of knowledge about the Internet, it may not be necessary to provide basic information about what cookies are and how they work, although they must in any case include detailed information about what type of cookies are used on that page and for what purposes.
At all times it must be based on the consideration of the knowledge that an average user has about cookies and their management, without prejudice to demanding additional information when the web pages are especially aimed at users who by their profile can be considered to have a lower degree of knowledge.
Clear and simple language must be used. The user should not have to search for the information, but it must be evident to him where and how he can access it, such as when a clearly visible link is provided that directs directly to the information under a common use term such as "cookie policy" or "cookies".
Informing users is not something new on the Internet. Most website editors know what methods to use to attract users' attention to the information they want to highlight, such as in the case of promotions, offers or satisfaction surveys, and to obtain the consent of their users, even in other contexts. How users are viewed should leverage the experience gained through these methods.
On a website, for example, the accessibility and visibility of the cookie policy can be boosted in the following ways:
In any case, it will be necessary for the user to take an action that can be classified as a clear affirmative action in order for the consent to be considered validly granted.
Obtaining consent through user conduct other than an acceptance button, but consisting of clear affirmative action, shall be admissible provided that the conditions under which the conduct occurs provide sufficient certainty that informed and unequivocal consent is given and that such conduct can be proved to have been carried out.
In any case, the mere fact of continued browsing, scrolling or swiping the website will not be considered a clear affirmative action under any circumstances. It will be necessary that the information of the first layer is completed with a system or configuration panel in which the user can choose between accepting cookies in a granular way or a link that leads to that system or panel.
When using non-necessary cookies, obtaining the user's consent is now mandatory. This consent may be obtained through express formulas, such as by clicking on a section that states "consent", "I accept", or other similar terms.
The mere inactivity of the user will neverr imply the provision of consent by itself. For such consent to be valid, it must be given freely and informedly. Therefore, it is necessary to take into account:
Acceptance of the terms or conditions of use of the website or service is separate from acceptance of the privacy or cookies policy. Determining which method will be appropriate to obtain consent to use cookies will depend on the type of cookies to be used, their purpose and whether they are their own or third parties.
One aspect to consider is whether the relationship with the user is between the publisher or third parties. In this sense, it should be indicated whether consent is provided only for the website on which it is being requested or whether it is also provided for other websites of the same publisher or even for third parties associated with the publisher within the framework of the purposes of the cookies on which information has been offered.
Disclaimer: Depending on your line of business, country, industry and customer type (e.g. children, consumers etc.) you might need other documents and information so please note that this list is not exhaustive.