A Year of the New Cookie Policy: Impact and Changes in Its Use

On January 11, 2024, the new Cookie Policy, updated by the Spanish Agency for Data Protection (AEPD), came into force, adapting it to the Guidelines 03/2022 on deceptive patterns from the European Data Protection Board (EDPB).

This update introduced significant changes that have affected how websites manage cookies, especially regarding user transparency and consent.

Have the cookie use changes been implemented?

The criteria established in the new cookie usage guidelines were to be implemented by January 11, 2024, with a six-month transitional period to make the necessary adjustments. 

One year after its enforcement, it is clear that these updates have promoted greater transparency and user control over the use of their personal data, marking a significant milestone in data protection in Spain.

What changes applied to the use of cookies

1. Personalization Cookies

One of the most significant updates is the clarification regarding personalization cookies. Now, when a user selects options such as language or currency, these cookies are considered technical and do not require consent, provided they are not used for other purposes.

Practical Example: A website allows users to select their preferred language without needing consent. However, if the user’s information is used to personalize the browsing experience, consent must be obtained, and clear options to accept or reject must be provided.

2. Cookie Banner

The handling of cookie banners has also changed. Now they must include three buttons: reject all cookies, accept them, or configure them according to the user’s preferences. Additionally, the "reject" button must be clearly visible, and the colors and contrasts should not mislead the user.

Practical Example: A website shows a cookie banner with three visible and clear options: reject all, accept them, or configure them. The "reject" button is easily locatable and contrasted, and no checkbox is pre-checked to ensure valid consent.

3. Iformation Mechanisms

The AEPD recommends using mechanisms that facilitate information about cookies, such as dropdown buttons or pop-up text.

Practical Example: A website uses buttons that display detailed information about cookies when clicked, allowing the user to easily access the desired information.

4. Duration of Consent

The consent given by the user should not last longer than 24 months, during which preferences should be retained without needing to request new consent on each visit.

Practical Example: A user gives consent for cookie use on a website, which remains valid for 24 months, remembering their preferences without requesting consent again during this period

5. Cookie Wall

3 5. Cookie Walls
Access to a service cannot be conditioned on accepting cookies. An alternative without cookies must be offered, although this does not necessarily have to be free.

Practical Example: A website cannot block access to its content if the user does not accept cookies but may offer a cookie-free access option, which could be paid.​​​​​​​

Major cases and penalties after one year of implementation

In 2024, penalties for improper use of cookie banners significantly increased due to the stricter implementation of AEPD guidelines. Companies that do not comply with requirements such as clear visibility of the "reject cookies" button, prohibition of pre-checked options, and the need for informed and non-deceptive consent face fines that can reach up to 30,000 euros per violation. This tightening reflects the AEPD's commitment to protecting users' rights in the digital environment.

An example of this is the recent 16,000-euro fine that SEAT received on September 18, 2024, for using user cookies – specifically, functionality and segmentation cookies, i.e., non-essential cookies – without prior consent.

The AEPD identified two specific violations: on one hand, the installation of cookies without explicit consent, and on the other hand, the lack of effective mechanisms to revoke consent in the preferences settings panel.

Another example occurred in France, where on November 14, 2024, the French supervisory authority (Commission Nationale de l'Informatique et des Libertés - CNIL) fined ORANGE 50 million euros for inserting ads into users’ emails without proper consent, as well as for improper cookie usage. Despite users withdrawing their consent for the storage and reading of cookies on the website, previously stored cookies continued to be read.

Data protection and digital law department