The AEPD updated their Guide on Cookies last July to make it more compatible with the regulations of the central European regulatory body. Budgets have been amended to make the regulations more clear, but also tighter. Even though the RGPD was implemented several years ago, many web pages still violate the cookie regulations. We will tell you about it and show you how to adapt your website so that it complies with it.
Although the regulations concerning cookies are not new, they were not defined as such until the RGPD (General Data Protection Regulation). There were some practices that were doubtful before the RGPD.
It is essential to understand what consent is. It is defined in Article 4 (11) RGPD as “any expression of free, specific and informed will by which an interested party accepts, either via a declaration, or a clear affirmative act, the processing personal data that concern him”.
There are situations in which web pages and apps do not consent to valid consent forms. This could be because they don’t allow you to choose, or because you are forced or subject to negative consequences. These pages require permissions to be downloaded on the mobile device in order to use an app that doesn’t really need them. (I wouldn’t be well informed). You will also need to accept the cookie wall in order to access the content. This prevents you from viewing the content if you don’t accept it (it wouldn’t be free).
Scrolling down the page or continuing to browse is not consent. They are not an affirmative act
The Guide outlines clearly what TRANSPARENCY means and how consent should be obtained in order to combat these poor practices.
The web must inform about Cookies in its Privacy Policy, which must be linked to the cookie notice.
It must be clear, concise, and understandable. It must also be easily understood by the average person in the target audience. It should also be easy to find, via a prominent link. The information must be available in the logical location where it can be searched, and must be permanent.
The double layer philosophy states that the first layer must contain the essentials. This includes the person responsible for the website, their purpose, whether they are sent to third parties, what data was collected, how to accept or reject them, and a link to the secondary layer which could be the complete privacy policy. The guide also emphasizes the need to distinguish cookies of different types, but not one by one as it could confuse the user when they are accepted or rejected.
Consent is, as we’ve already stated, a clear affirmative act. Consent information must be distinct from other matters. Users must have the ability to withdraw consent at any time. It must be simple to withdraw consent. If consent was given to third parties, it must be clearly stated.
There are many forms of consent, and they all work if you inform them clearly and transparently how to give them.
As we’ve already stated, cookies are subject to the tacit consent (the text that says “If you continue browsing, you agree these conditions”) and the cookie walls (browsing is stopped if consent is not granted). Cookies walls are only valid if the user is offered an alternative to access the content. This could be prior payment or subscription.
Third parties may consent to cookies if the user refers to their privacy policies and is clear about how to accept or decline cookies.
The guide also states that any changes to the website’s use of cookies must be reported in order for the user to give a new consent. It also suggests that, in the event of no changes, the website store the consent for 24 months before asking for an update.
One glance at the websites shows that many companies still require tacit consent or use techniques to get consent in a way that isn’t free for the user (e.g., to be able to view the contents). You must update your websites before the expiration of the transitional period (10/31/2020), as this could be the last notice by regulatory agencies