Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Is your website compliant with the new cookie regulations?

PrintMailRate-it

​​​​​​​​​​​​​​​​​​​​​published on 18 June 2024 | reading time approx. 3 minutes


In May, the Spanish Data Protection Authority (the ‘Authority’ or ‘AEPD’ for its acronym in Spanish) released an update to its Cookie Guidelines, incorporating the criteria set by the European Data Protection Board (EDPB) on when and how 'pay or okay' models can be implemented to ensure valid consent. 

These guidelines, aimed primarily at large online platforms such as major social networks, stipulates that access to a website's services and functionalities cannot be contingent upon user’s acceptance of the use of cookies.

This means that from the 'first-layer banner' or 'cookie wall', the user must have a clear option to reject, accept, or customize cookies with equal visibility and ease. A website that fails to provide a clear alternative for consent may be deemed non-compliant, as it does not ensure that users can freely choose not to consent to their data being processed.

However, the EDPB's significant relevance lies in its criteria for when 'pay or okay' models can be applied to achieve valid consent. 

According to the EDPB, offering users a binary choice between consenting to the processing of personal data for behavioral advertising (involving personalized ads based on user interests and behaviors) or paying a fee to avoid such processing, typically does not suffice to meet the requirements for valid consent in most cases.

Under Article 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR); consent must be freely given, specific, informed, and unambiguous, meaning that users must genuinely be able to decide whether or not to consent to the use of their data for behavioral advertising. 

If platforms opt to use personal data for behavioural advertising and only offer a payment option to avoid it, this could be considered coercive and fail to meet the standards of valid consent. Therefore, it is crucial to offer users a free alternative, such as general or contextual advertising (ads based on the content of the visited web page), which does not require extensive use of personal data and is less intrusive in terms of user privacy.

Although the EDPB's directive is not new legislation or legally binding, its impact is substantial in requiring platforms using 'pay or okay' models to demonstrate that they are not forcing users to accept cookies. This can be challenging, particularly if the fee is disproportionate or if the platform previously offered its content for free.

It is expected that during the first half of 2025, the EDPB will publish a general guidance on the validity of consent in 'pay or okay' models, thereby providing clarity on their usage.

Authors:
Inés Olalquiaga
Jorge Cabet - Senior Associate

 DATA PROTECTION BITES

contact

Contact Person Picture

Patricia Ayala Jiménez

Abogado

Partner

+34 91 5359 977

Invia richiesta

 RÖDL & PARTNER SPAIN

​​​​​​Discover more about our offices in Spain. Read more »
Deutschland Weltweit Search Menu