The AEPD has renewed in May 2024 its guide to the use of cookies in an effort to clarify as much as possible the uncertainty created concerning the categories of cookies, their purpose, as well as the rights and responsibilities of online service providers and Internet users. We send you this document in full for your reference and here is how to implement the law in practice so that you can see and set up your consent banners properly:
Most typical forms of consent
Google cookies (third-party cookies or cookies not controlled by the publisher or provider of the good or service) would be the following:
ad_storage: allows storage, for example, cookies (Web) or device identifiers (applications), associated with advertising.
ad_user_data: sets the permission to transmit user data to Google for the purposes of online advertising. If disabled no personal data is received from online advertising such as user_id or improved conversions.
ad_personalization: sets consent for personalized ads. If denied, personalized advertising fails, directly impacting Remarketing and Dynamic Remarketing.
analytics_storage: allows storage, e.g., cookies (webs) or device identifiers (apps), pertaining to statistics, e.g., length of visits. If declined rather than cookies, pings (webs) or indicators (apps) are fired for simple measurement and modelling.
In addition, cookies used by the website (first-party cookies or cookies managed by the publisher itself) are also included here.
functionality_storage: enables storage that supports website or app functionality, for example, language settings.
personalization_storage: enables storage related to personalization, e.g. recommendations of videos, products.
security_storage: enables security-related storage, such as authentication, fraud prevention and other user protections.
Cookies that are excluded from the standard
Under the new rules, the following are exempted from complying with the obligations set, cookies placed for any of the following purposes:
Enable only communication between the user’s equipment and the network.
Only to supply a service explicitly requested by the user.
Examples of law-exempted cookies:
“User input” cookies
User authentication or identification cookies (session only).
User security cookies
Media player session cookies.
Session cookies for load balancing.
User interface customization cookies.
Some plug-in social content-sharing cookies
With regard to multipurpose cookies, i.e. cookies that perform more than one service, and in some cases are not an exempt purpose, the consent of the user has to be assured before they can be used. In order not to lose functionality on the web in such situations, it is advisable to utilize a separate cookie for each purpose.
Thus, we are compelled to state that for our websites to strictly adhere to existing law, this should be the default setting”We will give you the following kinds of consent when a user logs into our online shop or website for the first time:
ad_storage: denied
ad_user_data: denied
ad_personalization: denied
analytical_storage: denied
functionality_storage:denied / granted depending on whether all cookies included therein are exempted from the rule in accordance with the examples provided above.
storage_personalization : denied
security_storage: denied/granted based on whether all the cookies included therein are excluded from the rule based on the examples above. The most typical is that they are.
Conversely, it should be considered that the user should be able to withdraw or change the consent at any time thus, this functionality should be activated and easily accessible in the consent banners.
Next Article: What is an SEO migration? Types, phases and key tips
