On January 11, 2024 came into force the obligation to implement the measures imposed by the Spanish Data Protection Agency (AEPD), to comply with the new Guidelines 03/2022 of the European Data Protection Committee. Our colleague Cristina de la Peña has been investigating the matter and, in order to comply with the current legislation, it is necessary for all those operators of online goods and services to implementation of cookie banners on their respective websites. certified by valid and updated Consent Management Platforms or CMPs.
The AEPD has updated in May 2024 its guide on the use of cookies in order to clarify as far as possible the doubts generated regarding the types of cookies, their functionality, as well as the rights and obligations of online service providers and Internet users. We enclose this document in its entirety for your reference and here is how to apply the law in practice so that you can understand and configure your consent banners correctly:
Most common types of consent
The cookies used by Google (third party cookies or cookies not managed by the publisher or provider of the good or service) would be the following:
- ad_storage: enables storage, such as cookies (Web) or device identifiers (applications), related to advertising.
- ad_user_data: sets the consent to send user data to Google for online advertising purposes. If disabled no personal data is collected from online advertising such as user_id or enhanced conversions.
- ad_personalization: establishes consent for personalized advertising. If refused, personalized advertising does not work, which directly affects Remarketing and Dynamic Remarketing.
- analytics_storage: enables storage, such as cookies (web) or device identifiers (apps), related to statistics, such as duration of visits. If rejected instead of cookies, pings (webs) or indicators (apps) are sent for basic measurement and modeling purposes.
In addition, cookies used by the website (first party cookies or cookies managed by the publisher itself) are also included here.
- functionality_storage: enables storage that supports website or app functionality, for example, language settings.
- personalization_storage: enables storage related to personalization, e.g. recommendations of videos, products...
- security_storage: enables security-related storage, such as authentication, fraud prevention and other user protections.
Cookies that are excluded from the standard
According to the new regulations, the following remain exempted from compliance with the established obligations, cookies used for any of the following purposes:
- Allow only communication between the user's equipment and the network.
- Strictly to provide a service expressly requested by the user.
Examples of cookies exempted by law:
- "User input" cookies
- User authentication or identification cookies (session only).
- User security cookies
- Media player session cookies.
- Session cookies for load balancing.
- User interface customization cookies.
- Certain plug-in cookies for sharing social content
In the case of multipurpose cookies, i.e. cookies that provide more than one service, and that in some cases are not an exempt purpose, the user's approval must be guaranteed prior to their use. To avoid loss of functionality on the web in these cases, it is recommended to use a different cookie for each purpose.
Therefore, we must conclude that in order for our web sites to comply strictly with current legislation, this should be the default mode"We will provide you with the following types of consent when a user logs on to our online store or website for the first time:
- ad_storage: denied
- ad_user_data: denied
- ad_personalization: denied
- analytical_storage: denied
- functionality_storage: denied / granted depending on whether all cookies contained therein are exempted from the rule according to the examples above.
- storage_personalization : denied
- security_storage: denied / granted depending on whether all the cookies contained therein are exempted from the rule according to the examples above. The most common is that they are.
On the other hand, it must be taken into account that the user must be able to withdraw or modify the consent at any timeTherefore, this functionality must be enabled and easily accessible in the consent banners.
If you need help and support to keep everything up to date with the law, at Geotelecom we can help you. Contact us right now and tell us about your project, we will show you everything we can do for you.