The Spanish Data Protection Authority Agency (“AEPD”) recently updated its cookie guidance, which now requires a “reject” button in the first layer of cookie banners.
Previously, the AEPD did not require a “reject” option in the first layer of information. This is commonly referred to as the cookie banner. The option to reject any cookies being installed on devices could be provided in the second layer of information or cookie settings.
The majority of European Union (“EU”) Supervisory Authorities consider the approach of a cookie banner without a “reject” option alongside an “accept” option as an infringement of the ePrivacy Directive. This was also reflected in the report issued by the European Data Protection Board’s (“EDPB”) Cookie Banner Taskforce in January 2023.
The updated guidance aligns with the Cookie Banner Taskforce report and the EDPB’s Guidelines on deceptive patterns, which was adopted in February 2023. This change introduces a stricter criterion, requiring the inclusion of a “reject” button in cookie banners.
The guidance includes examples of adequate cookie banners and sets out that both options (that is “accept all” and “reject all”) must be presented to the user at the same time, at the same level and with the same visibility. Colour or contrast of the text and buttons must not lead users to provide consent involuntarily.
This updated cookie guidance of the Spanish Regulator follows the approach of the French and Belgium Supervisory Authorities and the British Information Commissioner’s Office (“ICO”). Looking ahead, updates from various other EU Supervisory Authorities will be closely monitored to determine if a similar approach will be adopted in other EU Member States.
Does your organization have any questions about cookies? Contact us, the Experts in Data Privacy at firstname.lastname@example.org for assistance.