- Necessary always offer the user in the 1st layer (banner) the possibility of rejecting all cookies, accepting them or configuring them at your choice (displaying configuration panel). That is, three buttons will be required to choose from on the banner.
- The option "Reject" should be visible and not hidden under colors, letters or sizes that prevent their location.
- Do not incorporate color combinations that encourage acceptance (for example "accept" in phosphor green and "reject", "set" in a softer color).
- There can be no pre-ticked boxes in the settings panel.
- Improper references to legitimate interest are not allowed as a legal basis to install cookies (imprecise expressions such as "to show you personalized content" "to improve your experience", etc.)
- It cannot be indicated that cookies are technical in the settings panel when they actually need consent.
- As good practice, it is recommended to enable a floating button on the web to access the cookie configuration panel at any time. It should always be available and as visible as possible. It should be just as easy to give consent as it is to withdraw (or manage) it. And this must be explained in the text of the COOKIES POLICY.
- It should be taken into account that the same cookie can have more than one purpose (multipurpose cookies), so there is the possibility that a cookie is exempted from the scope of application of article 22.2 of the LSSI for one or more of its purposes and not for others, the latter being subject to the scope of application of said precept. . This should encourage website owners to use a different cookie for each purpose. It must be guaranteed that these cookies are only used if all the purposes they group are accepted, that is, if a cookie serves two purposes, but the user only accepts one of them, the cookie should not be used, and this unless the management used allows a differentiated treatment to be given to the different purposes of these multi-purpose cookies, so that if the user accepts one of its purposes and not others, the cookie only operates with the accepted purpose.
- Must be provide users with clear and complete information on the use of data storage and recovery devices and, in particular, on the purposes of data processing. The information about cookies provided at the time of requesting consent must be complete enough to allow users to understand their purposes and the use that will be given to them.
- The user may not be given the impression that they have to accept cookies to navigate the website.
- It will not be possible to clearly push the user to accept cookies
- The color or contrast of the text and buttons (or equivalent mechanisms) may not be obviously misleading to users, in a way that leads to involuntary consent. It will not be valid, for example, if the option to reject cookies is a button with a text that does not contrast sufficiently with the color of the button and, therefore, cannot be read.
- The maximum degree of granularity (cookie-by-cookie selection, even within the same purpose) should be avoided, since the excess of information makes decision-making difficult.
- The button or mechanism to manage the user's preferences must lead directly to the configuration panel, without having to scroll through large amounts of text looking for the information, which must remain permanently accessible.
- In the configuration panel it should be clearly indicated or clear how to save the selection made by the user. For these purposes, for example, a button with the text “Save selection”, “Save configuration” or similar texts would be valid.
- To facilitate the selection, two buttons may also be implemented in the panel, one to select all the categories of cookies and another to reject them all if the user has previously selected them, this option being recommended the greater the number of different categories in which cookies have been classified. If the user saves his choice without having selected any cookies, it will be equivalent to the rejection of all cookies.
- In no case are pre-marked options admissible in favor of accepting cookies to obtain valid consent.
- In relation to third-party cookies, it is enough to identify them by name or by the brand with which they identify themselves to the public, without including the full company name.
- Definition and generic function of cookies.
- Information about the type of cookies that are used and their purpose.
- Where appropriate, information on data transfers to third countries made by the publisher.
- When profiling involves automated decision-making with legal effects for the user or that significantly affect him in a similar way, it will be necessary to report on the logic used, as well as the importance and expected consequences of said treatment for the user. in the terms established in article 13.2.f) of the GDPR.
- Conservation period.
How information about cookies should be displayed
- The information or communication must be concise, transparent and intelligible, it must be understandable to the average member of the target audience.
- Possibility of using “layers”; highly recommended.
How to give consent
- For the use of non-excepted cookies, it will be necessary in any case to obtain the consent of the user. This consent may be obtained through express formulas, such as clicking on a section that indicates "I consent", "I accept", or other similar terms.
- It can also be obtained by inferring it from an unequivocal action carried out by the user in a context in which the user has been provided with clear and accessible information on the purposes of cookies and whether they are going to be used by the same publisher and/or by third parties. so that it can be understood that the user accepts the installation of cookies.
- In no case does the mere inactivity of the user imply the provision of consent by itself.
- It will be necessary that the consent has been granted in a free and informed way
- The CEPD has established that continuing to browse is not a valid way of giving consent.
- That the user, in any case, may refuse to accept cookies. The option to reject cookies must be offered in the same layer and at the same level as the option to accept them and the mechanism used for this purpose (button or other) must be similar.
Who must give consent
- Consent must be provided by the "recipients" of the information society services.
- It must be indicated if the consent is provided only for the web page in which it is being requested or if it is also provided for other web pages of the same publisher or even for third parties associated with the publisher within the framework of the purposes of the cookies on which it is has offered information.
- Regardless of the method of obtaining consent, the option to reject.
- Cookies must be offered to the user at the same time, at the same level and with the same visibility as accepting them, without referring them to another layer or different place to perform that action.
Cookie consent for children under 14 years of age
- In the case of websites or online services specifically aimed at minors, it is convenient to remember the need to adopt additional precautions, such as greater simplicity and clarity of the language used.
- In the case of minors under 14 years of age, the person in charge will make reasonable efforts to verify that the consent for the processing of personal data was given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment.
- The lower the risk, the simpler the verification system implemented can be. For example, in the case of unregistered users of a website aimed at minors, if their device and browsing data are used solely for analytical purposes, the consent of the holder of parental authority or guardianship could be obtained prior warning or call addressed to the minor indicating in the first information layer that, if you are under 14 years of age, before continuing browsing, notify your father, mother or guardian to accept or reject cookies, thus avoiding requesting additional data from the minor or the owner of parental authority or guardianship.