In the dynamic world of online privacy regulations, the recent guidelines from the Spanish Data Protection Agency (AEPD) are reshaping the landscape for website cookies. The transition away from the era of cookies has proven to be more turbulent than anticipated, particularly in Spain. In mid-December, the controversy arose when ElDiario.es introduced a banner offering users two choices: free browsing with ads (requiring cookie acceptance) or ad-free browsing with a subscription starting at 1 euro per week.
Addressing the uncertainties, we previously explained that, according to the AEPD’s July 2023 regulations, such an approach was permissible: “There may be certain cases where the non-acceptance of cookie usage prevents access to the website or the full or partial use of the service. However, this should be adequately communicated to the user, and an alternative, not necessarily free, access to the service without the need for cookie acceptance should be provided.”
This controversy resurfaced in recent days as other media outlets adopted a similar strategy, requesting payment from users to bypass cookies. This trend sparked renewed criticism and coincided with the AEPD’s latest publication on January 11, titled “Guide to the Use of Cookies for Audience Measurement Tools.”
The guide focuses on cookies used for obtaining traffic or performance statistics, clarifying that they “may be exempt from consent under certain conditions.”
The document further explains that for exemption from consent, these cookies or similar technologies should not allow data to be cross-referenced with other processing operations or transmitted to third parties. It excludes any solution using the same identifier across multiple sites for cross-referencing, duplicating, or measuring a unified reach rate of content.
With this, the AEPD initiates the year by offering a different perspective to numerous websites, presenting the possibility of avoiding the often cumbersome cookie acceptance banners for their users.
Cookies Exempted by the AEPD: What’s Considered Necessary?
The AEPD defines cookies necessary for the proper functioning of a website or app, specifically in the context of traffic measurement. The agency deems the following measurements strictly necessary for site administration:
- Audience measurement, page by page
- List of pages linked to the current page, internally or externally (referrer), aggregated daily
- Determination of device type, browser, and screen size of visitors, per page and aggregated daily
- Page load time statistics, per page and aggregated hourly
- Statistics on time spent on each page, bounce rate, scroll depth, per page and aggregated daily
- User action statistics (clicks, selections), per page and aggregated daily
- Statistics on the geographical origin of requests, per page and aggregated daily.
In any other cases, obtaining user consent should be sought.
What to Do If Your Cookies Are Exempted?
For those falling under the exempted category, here’s the recommended course of action according to the published text:
- Users should be informed of the use of these exempted cookies or similar technologies for audience measurement, e.g., through the site’s privacy policy or mobile app.
- The lifespan of these cookies or similar technologies should be limited to a period allowing meaningful audience comparison over time, such as a duration of thirteen months, and should not automatically extend on new visits.
- Information collected through these cookies or similar technologies should be retained for a maximum period of twenty-five months.
- The mentioned lifespan and retention period are subject to periodic review to adhere strictly to necessities.
The AEPD also outlines considerations for analytics service providers involved in “audience measurement across multiple publishers.” These providers must ensure the independent collection, processing, and storage of data for each publisher. The cookies or similar technologies used should be entirely independent of each other and any other cookie or similar technology.
This change in the approach to cookie challenges represents a significant shift, especially for numerous small websites relying on non-technical cookies in analytics. These sites may now be exempt from obtaining consent from their visitors, as highlighted by analytics expert Pablo Moratinos on his X profile.
However, this development raises more questions than answers at this point. It comes at a time when many websites are still adjusting to the transition from Universal Analytics to GA4, Google is making initial strides towards a post-cookie environment, and the integration of this novelty within the framework of GDPR, with European-wide implications, remains uncertain. The evolution of online privacy regulations continues to shape the digital landscape, with the AEPD’s latest guidelines providing a glimpse into the evolving world of website cookies in Spain.
