Out-Law News | 28 Nov 2019 | 4:25 pm | 3 min. read
To meet the transparency requirements of those laws, information including details of the type of cookies being used, the data they will gather and the purposes for which the data is collected, as well as who the data collected could be shared with, must be disclosed to internet users.
According to the AEPD, the information about cookies that is disclosed to internet users must be displayed alongside a system or configuration panel that enables the user to choose whether or not to accept cookies in a granular form.
The AEPD explained that it is up to website publishers to determine just how granular the cookie consent options need to be. As a minimum, however, users should be able to exercise their consent choices in relation to cookies split into groups according to the purpose they serve. This, the regulator said, might mean enabling users to choose to accept analytic cookies and not cookies which will track their online activity for the purposes of serving them behavioural adverts, for example.
In addition to offering granularity, the AEPD said it expects website publishers to display two buttons on the configuration panel – one that offers the option to accept all cookies and the other to reject all cookies.
The AEPD also confirmed that, in some cases, the act of continued browsing by an internet user can be sufficient to signal their consent to cookies. It provided guidance on the information requirements operators must meet and the technical steps users must take for the legal standard of consent to be met in those circumstances.
However, in some cases the AEPD said it is possible for consent to be gleaned from users that do keep browsing.
Firstly, website operators would need to display the information notice in "a clearly visible place" so that because of its shape, color, size or location the operators can be assured that the notice has not been missed by the user.
In addition, consent could only be said to be granted from users that keep browsing if they have taken a clear affirmative action in their browsing activities – that means, for instance, that they have navigated to a different section of the website, scrolled down the existing webpage, or clicked on the content on the page, the AEPD said in providing examples. Merely moving the mouse, pressing a key or remaining on the screen displayed, for example, will not be sufficient action by the user to meet the requirements of consent, it said.
Further, the AEPD confirmed that the 'keep browsing' mechanism of consent will only be valid if website operators include a button for rejecting all cookies on their cookie consent system.
The AEPD recently issued budget airline Vueling with a fine of €30,000 after it found fault with the company's cookie consent mechanism.