Data Protection, Cybersecurity and Technology Department

1 August 2023

In July 2023 the Spanish Data Protection Agency ("AEPD") has updated the Guidelines
on the use of cookies ("Cookie Guidelines" or the "Guidelines") to adapt it to the Euro-
pean Data Protection Supervisor's ("EDPS") Guidelines 03/2022 on misleading pat-
terns on social networks.

The criteria set out in the Guidelines are to be implemented by 11 January 2024 at the
latest.

The Cookie Guidelines and its updates cover the cases in which article 22 of Law
34/2002, of 11 July, on information society services and electronic commerce
("LSSICE") is applicable. Consequently, it applies to information society service

This Alert is for information purposes only and does not constitute legal advice of any kind.
providers who use cookies or similar technologies on websites or in mobile applica-
tions to store and retrieve data from the terminal equipment (e.g. computer, mobile
phone) of a natural or legal person using an information society service whose use re-
quires the informed consent of users.

The AEPD has introduced amendments to the Guidelines related to layered information
and consent, types of cookies and cookie walls. Specifically, the following:

 Layered information and consent. Actions to accept or reject cookies need to be

presented in a prominent place and format. Both actions should be at the same
level, and it should not be more complicated to refuse than to accept. Furthermore,
no misleading mechanisms may be used in a way that leads to involuntary consent,
for example, through the colours or contrast of the text. On the other hand, it is re-
called that the use of phrases such as "continue browsing" is not a valid way of
seeking consent.

 Personalisation cookies. Specifications are made regarding personalisation cook-

ies, indicating that it may be advisable for them not to be session cookies when the
constant selection by users may end up causing user fatigue. In addition, it is de-
tailed that, if it is the editor who carries out the personalisation based on the infor-
mation obtained from the user, it is necessary to inform the user of this, prominently
offering the option to accept or reject them.

 Settings panel. The guide specifies that the settings panel can be integrated in the
second layer of the cookie banner, as long as the access is direct and only one
(and very obvious) click away, not making the user have to navigate through the
second layer. It is recommended to include it only when cookies are used for more
than one purpose, in order to simplify the user experience.

 Cookie walls. The previous Guidelines already specified that for consent to be
considered freely given, access to the service and its functionalities cannot be con-
ditional on the user's consent to the use of cookies, but that the publisher must offer
an alternative way of accessing the service without the need to accept the use of
cookies. The new version of the Guidelines clarifies that this alternative need not
necessarily be free of charge.

 Saving the configuration. In the configuration panel the user must be able to un-
derstand how to save his configuration and for how long. Pre-marked options are
not valid in any case.

This Alert is for information purposes only and does not constitute legal advice of any kind.
Failure to comply with the obligations and criteria established in the Guidelines entails
a breach of art. 22 of the LSSICE, constituting an infringement (art. 38 LSSICE):

 Minor (art. 39.1.c LSSICE). Punishable by a fine of up to 30,000 euros.

 Serious (art. 39.1.b LSSICE). Punishable by a fine of 30,001 to 150,000 euros.

In addition, if the breach of obligations concerns the processing of users' personal data,
it will also constitute a serious breach of Art. 13 of Regulation (EU) 2016/679 of the Eu-
ropean parliament and of the council of 27 April 2016 on the protection of natural per-
sons with regard to the processing of personal data and on the free movement of such
data and repealing Directive 95/46/EC ("GDPR"), which may entail a fine of up to EUR
20 000 000 or, in the case of a company, an amount equivalent to a maximum of 4 %
of the total annual aggregate turnover of the preceding financial year, whichever is
higher.

This Alert is for information purposes only and does not constitute legal advice of any kind.