Since June 2024 it is mandatory to adapt to the new guidelines on the use of cookies set by the European Union and which affect deceptive patterns. Does your company comply with the norm on the use of cookies? From the Tomarial Data Protection Area We can advise you so that your website is perfectly adapted to current regulations in Spain. We summarize in this practical guide how the correct use of cookies should be.

Key points about the use of cookies

  • Necessary always offer the user in the 1st layer (banner) the possibility of rejecting all cookies, accepting them or configuring them at your choice (displaying configuration panel). That is, three buttons will be required to choose from on the banner.
  • The option "Reject" should be visible and not hidden under colors, letters or sizes that prevent their location.
  • Do not incorporate color combinations that encourage acceptance (for example "accept" in phosphor green and "reject", "set" in a softer color).
  • There can be no pre-ticked boxes in the settings panel.
  • Improper references to legitimate interest are not allowed as a legal basis to install cookies (imprecise expressions such as "to show you personalized content" "to improve your experience", etc.)
  • It cannot be indicated that cookies are technical in the settings panel when they actually need consent.
  • As good practice, it is recommended to enable a floating button on the web to access the cookie configuration panel at any time. It should always be available and as visible as possible. It should be just as easy to give consent as it is to withdraw (or manage) it. And this must be explained in the text of the COOKIES POLICY.
  • It should be taken into account that the same cookie can have more than one purpose (multipurpose cookies), so there is the possibility that a cookie is exempted from the scope of application of article 22.2 of the LSSI for one or more of its purposes and not for others, the latter being subject to the scope of application of said precept. . This should encourage website owners to use a different cookie for each purpose. It must be guaranteed that these cookies are only used if all the purposes they group are accepted, that is, if a cookie serves two purposes, but the user only accepts one of them, the cookie should not be used, and this unless the management used allows a differentiated treatment to be given to the different purposes of these multi-purpose cookies, so that if the user accepts one of its purposes and not others, the cookie only operates with the accepted purpose.
  • Must be provide users with clear and complete information on the use of data storage and recovery devices and, in particular, on the purposes of data processing. The information about cookies provided at the time of requesting consent must be complete enough to allow users to understand their purposes and the use that will be given to them.

Mandatory measures in the use of cookies

  • The user may not be given the impression that they have to accept cookies to navigate the website.
  • It will not be possible to clearly push the user to accept cookies
  • The color or contrast of the text and buttons (or equivalent mechanisms) may not be obviously misleading to users, in a way that leads to involuntary consent. It will not be valid, for example, if the option to reject cookies is a button with a text that does not contrast sufficiently with the color of the button and, therefore, cannot be read.
  • The maximum degree of granularity (cookie-by-cookie selection, even within the same purpose) should be avoided, since the excess of information makes decision-making difficult.
  • The button or mechanism to manage the user's preferences must lead directly to the configuration panel, without having to scroll through large amounts of text looking for the information, which must remain permanently accessible.
  • In the configuration panel it should be clearly indicated or clear how to save the selection made by the user. For these purposes, for example, a button with the text “Save selection”, “Save configuration” or similar texts would be valid.
  • To facilitate the selection, two buttons may also be implemented in the panel, one to select all the categories of cookies and another to reject them all if the user has previously selected them, this option being recommended the greater the number of different categories in which cookies have been classified. If the user saves his choice without having selected any cookies, it will be equivalent to the rejection of all cookies.
  • In no case are pre-marked options admissible in favor of accepting cookies to obtain valid consent.
  • In relation to third-party cookies, it is enough to identify them by name or by the brand with which they identify themselves to the public, without including the full company name.

Information to include in the cookie policy

  • Definition and generic function of cookies.
  • Information about the type of cookies that are used and their purpose.
  • Identification of who uses cookies.
  • Information on how to accept, deny or revoke the consent for the use of cookies stated through the functionalities provided by the editor through the common platforms that may exist for this purpose.
  • Where appropriate, information on data transfers to third countries made by the publisher.
  • When profiling involves automated decision-making with legal effects for the user or that significantly affect him in a similar way, it will be necessary to report on the logic used, as well as the importance and expected consequences of said treatment for the user. in the terms established in article 13.2.f) of the GDPR.
  • Conservation period.
  • In relation to the rest of the information required by article 13 of the GDPR that does not refer specifically to cookies (for example, the rights of the interested parties), the publisher may refer to the privacy policy.

How information about cookies should be displayed

  • The information or communication must be concise, transparent and intelligible, it must be understandable to the average member of the target audience.
  • Clear and simple language must be used, avoiding the use of phrases that lead to confusion or undermine the clarity of the message. For example, phrases such as "we use cookies to personalize your content and create a better experience for you" or "to improve your navigation" or phrases such as "we may use your personal data to offer personalized services" would not be valid to refer to cookies. behavioral advertising. Terms such as “may”, “might”, “some”, “often”, and “possible” should also be avoided.
  • The information must be easily accessible. The user should not search for the information, but it should be obvious to the user where and how the information can be accessed, such as when a clearly visible link is provided that leads directly to the information under a commonly used term such as "cookie policy" or "cookies".
  • Possibility of using “layers”; highly recommended.

How to give consent

  • For the use of non-excepted cookies, it will be necessary in any case to obtain the consent of the user. This consent may be obtained through express formulas, such as clicking on a section that indicates "I consent", "I accept", or other similar terms.
  • It can also be obtained by inferring it from an unequivocal action carried out by the user in a context in which the user has been provided with clear and accessible information on the purposes of cookies and whether they are going to be used by the same publisher and/or by third parties. so that it can be understood that the user accepts the installation of cookies.
  • In no case does the mere inactivity of the user imply the provision of consent by itself.
  • It will be necessary that the consent has been granted in a free and informed way
  • The CEPD has established that continuing to browse is not a valid way of giving consent.
  • That the user, in any case, may refuse to accept cookies. The option to reject cookies must be offered in the same layer and at the same level as the option to accept them and the mechanism used for this purpose (button or other) must be similar.
  • That the information provided to the user so that they can consent to the use of cookies is separated from the information offered on other matters.
  • That the acceptance of the terms or conditions of use of the website or service is separated from the acceptance of the privacy or cookie policy.

Who must give consent

  • Consent must be provided by the "recipients" of the information society services.
  • The determination of which method will be appropriate to obtain the consent to use cookies will depend on the type of cookies that are going to be used, their purpose and whether they are their own or from third parties.
  • It must be indicated if the consent is provided only for the web page in which it is being requested or if it is also provided for other web pages of the same publisher or even for third parties associated with the publisher within the framework of the purposes of the cookies on which it is has offered information.
  • Regardless of the method of obtaining consent, the option to reject.
  • Cookies must be offered to the user at the same time, at the same level and with the same visibility as accepting them, without referring them to another layer or different place to perform that action.

Cookie consent for children under 14 years of age

  • In the case of websites or online services specifically aimed at minors, it is convenient to remember the need to adopt additional precautions, such as greater simplicity and clarity of the language used.
  • In the case of minors under 14 years of age, the person in charge will make reasonable efforts to verify that the consent for the processing of personal data was given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment.
  • Thus, among other factors, when establishing measures to verify that the consent was given or authorized by the holder of parental authority or guardianship, the level of risk associated with the use of cookies must be considered (for example, taking into account account the nature of the data collected) and pay particular attention to the principle of data minimization
  • The lower the risk, the simpler the verification system implemented can be. For example, in the case of unregistered users of a website aimed at minors, if their device and browsing data are used solely for analytical purposes, the consent of the holder of parental authority or guardianship could be obtained prior warning or call addressed to the minor indicating in the first information layer that, if you are under 14 years of age, before continuing browsing, notify your father, mother or guardian to accept or reject cookies, thus avoiding requesting additional data from the minor or the owner of parental authority or guardianship.

For any questions about the regulations for the use of cookies or data protection, contact Tomarial and our specialists will advise you personally.

This site uses cookies for you to have the best user experience. If you continue to browse you are giving your consent to the acceptance of the aforementioned cookies and acceptance of our Cookies policy, Click the link for more information.plugin cookies

Notice of cookies