Understanding Andorran cookie guidelines: a comprehensive overview

The Andorran data protection authority (APDA) issued guidelines on the use of cookies in Andorra, requiring compliance from January 2024. We take a look at the Andorran cookie guidelines to learn about cookie banner and privacy policy requirements, and how you can be compliant.
Andorran cookie guidelines
Resources / Blog / Understanding Andorran cookie guidelines: a comprehensive overview
Published by Usercentrics
9 mins to read
Jun 26, 2024
Start scan

The Andorran Data Protection Agency (APDA) introduced new cookie guidelines that came into effect on January 24, 2024. These guidelines aim to enhance transparency and user control over how cookies are used, ensuring better protection of personal data for individuals interacting with online services in Andorra.

What is the data privacy law in Andorra?

The Andorra Qualified Personal Data Protection Law (LQPD) sets comprehensive guidelines for the protection of personal data within the Principality of Andorra. The regulation, known as Law 29/2021, came into effect on May 17, 2022, and is designed to protect the data of Andorran citizens and enhance privacy standards.

Closely aligned with the European Union’s (EU) General Data Protection Regulation (GDPR), the LQPD incorporates similar principles and requirements to ensure robust data protection. This alignment helps Andorran businesses and organizations meet international data protection standards, particularly those pertaining to transparency, lawful processing, and data minimization.

The LQPD also established the Andorran Data Protection Agency (APDA) as the supervisory authority, which holds significant powers, including overseeing data protection compliance, enforcing regulations, and addressing data protection violations.

Does the GDPR apply to Andorra?

Yes, as the GDPR has extraterritorial application, its provisions apply to Andorran companies that process the personal data of EU residents. This means that if an Andorran business offers goods or services to, collects personal data from, or monitors the behavior of, individuals within the EU, it must comply with GDPR requirements.

However, Andorra is not an EU member country, so the GDPR itself does not apply to the protection of personal data of Andorran residents.

The ePrivacy Directive (also known as the “cookie law”), which addresses privacy issues in electronic communication and the use of cookies to collect personal data in the EU, does not apply to the use of cookies in Andorra.

The APDA has published its own cookie guidelines that are in force as of January 24, 2004 to regulate the use of cookies. Although Andorra isn’t bound by the guidelines of the European Data Protection Board (EDPB), the APDA has incorporated the following directives published by the EDPB in its cookie guidelines:

The Andorran cookie guidelines encompass a broad range of cookies and do not distinguish among the various sources from which they originate. This approach means that the guidelines apply to cookies not only from websites and mobile applications but also from a variety of other internet-connected devices. These devices include smart TVs, video game consoles connected to the internet, voice assistants, Internet of Things (IoT) devices, and vehicles connected to a network.

The Andorran cookie guidelines emphasize the importance of obtaining user consent before activating non-essential cookies. Consent must be freely given, informed, specific, and unambiguous. This means users must be clearly informed about the cookies and their purposes and must provide consent through a clear affirmative action, such as clicking an “I accept” button. Organizations are required to maintain records of users’ consent, including details of how and when it was obtained.

While the guidelines do not explicitly use the term “prior consent,” they require that consent must be obtained before setting cookies. Users must also have the ability to withdraw their consent easily at any time, with the withdrawal process being as straightforward as that for giving consent.

The APDA’s guidelines list three categories of cookies, with the note that a cookie can fall under more than one category:

  • purpose
    • technical or strictly necessary cookies, without which the website can’t function
    • preference cookies, to set user preferences such as language
    • statistics cookies, for analytics purposes
    • advertising cookies, to display ads to visitors
  • provenance
    • first-party cookies, which are set by the owner of the website the user is visiting
    • third-party cookies, which are set by someone other than the website owner
  • duration
    • session cookies, which are deleted when a user closes their browser, ensuring no data is retained after the session ends
    • persistent cookies, which are not deleted at the end of the session

For persistent cookies, whether third-party or not, the guidelines specifically reference the recommendations of France’s National Commission on Informatics and Liberty (CNIL), limiting the maximum retention time to twenty-five (25) months. This measure helps to ensure that personal data is not stored longer than necessary.

After this period, cookies must be deleted or new consent must be obtained from the user to continue storing them. This 25-month period is quite long compared to retention and deletion requirements of a number of other privacy laws.

Despite requiring a maximum data retention time, the APDA advises data collectors to periodically review the retention time of cookies as part of an ongoing assessment of technical and organizational measures.

Like the GDPR, the LQPD requires data controllers to obtain specific and explicit consent from data subjects to collect their personal data, including data collected through cookies.

For cookie consent to be valid under the APDA’s guidelines, cookie consent banners must meet specific formatting criteria:

  • a reject or decline button must be present in the first layer of the banner, and its absence is a violation of the guidelines
  • information provided to users before consent must be clear and comprehensive
  • when two alternatives are offered, users must be informed of the consequences of each choice, ensuring both options are equally clear and accessible
  • pre-checked boxes in the second layer do not constitute valid consent
  • the visual format for accepting or rejecting cookies must be straightforward and based on a positive action — implicit actions, such as continuing to browse, are
  • prohibited and do not constitute valid consent
  • colors and contrasts that may influence the selection of one option over another can invalidate consent (i.e. dark patterns)
  • a simple mechanism for withdrawing consent, such as a permanent and visible floating button, must be provided
  • legitimate interest is not a valid basis for processing data collected through cookies

The guidelines also stipulate that the information provided to users on the cookie banner must be easily visible, intelligible, and clearly legible. Before obtaining consent, users must be informed of:

  • the identity of the data controller(s)
  • what data will be collected
  • the general purposes and types of cookies, with links for more details (e.g. personalized advertising cookies)
  • the duration of cookie storage
  • how to accept or reject cookies and the consequences of each action
  • the right to withdraw consent at any time and how to do so
  • possible recipients of the data

Cookie walls are generally not allowed as they do not provide a genuine alternative to consent. However, there are certain cases where refusal to accept the use of cookies may prevent access to the website or limit the use of its services. In these cases, users must be fully informed of the consequences and be provided an alternative access option without requiring users to accept cookies, which does not necessarily have to be free. These alternative options must be reasonable so that the user isn’t forced to accept cookies.

The APDA’s guidelines outline the necessary information that must be included in a privacy policy to inform users about how their data is obtained and processed. The policy must include:

  • name and contact details of the controller, and, if applicable, the contact details of the data protection officer
  • purpose(s) of processing
  • legal basis for obtaining the data
  • categories of data subjects and categories of personal data collected
  • who will receive the data, including recipients in third countries or international organizations
  • information about third-party cookies on the website that record users’ personal data and identification of third-party recipients as processors who may access the
  • data with user consent
  • any planned international data transfers, detailing the countries involved and whether they have equivalent levels of protection
  • retention periods for each type of data
  • security and confidentiality measures in place to protect the data

The guidelines specify the requirements for a legal notice, which must include:

  • identifying information about the controller
  • objective of the company or website, whether commercial, advertising, or otherwise
  • all aspects related to data processing, including:
    • record of processing activities
    • purpose of the processing
    • data sharing with third parties
    • data retention periods
    • methods for exercising rights (information related to data processing may be provided in a summarized version, provided it links to the complete privacy policy)
  • type of license under which the website’s content or products are offered, including information on intellectual and industrial property rights
  • obligations and responsibilities of the website user
  • information about the types of cookies used by the website and the user’s options to accept, reject, or choose an alternative (summarized information is acceptable if it links to the complete cookie policy)
  • declarations and warranties
  • information on dispute resolution, applicable law, and jurisdiction, including the means for pursuing claims

The APDA does not directly impose fines or penalties. However, they reference the legal framework under which such penalties can be enforced. Specifically, the guidelines align with the conditions for consent set out in Articles 7 and 8 of the LQPD. Failure to comply with these conditions can result in financial administrative sanctions ranging from EUR 30,001 to EUR 100,000.

To avoid the legal and financial repercussions of noncompliance, organizations operating within Andorra’s jurisdiction can take certain steps to achieve compliance with the Andorran cookie guidelines.

1. Implement consent mechanisms

Organizations must ensure their methods for obtaining user consent meet stringent legal standards. Consent must be explicit, specific, informed, freely given, and revocable. Consent for different data processing activities must not be bundled, and separate consents should be obtained for distinct operations. Using a consent management platform (CMP) like Usercentrics CMP can help in collecting legally valid, explicit consent as required by the Andorran cookie guidelines and the LQPD.

2. Display cookie consent banners that follow specifications

When implementing cookie consent banners, organizations must ensure they provide clear and unambiguous choices between accepting and rejecting cookies, giving equal prominence to both options. Notably, the absence of a reject or decline button in the first layer of the cookie banner constitutes a violation of the guidelines. Avoid using pre-checked boxes or design elements that could mislead or confuse users. Organizations are advised to implement a simple mechanism, such as a permanently visible floating button, to enable users to easily withdraw their consent.

3. Maintain compliance records

Data controllers must prove that consent was obtained per legal obligations. This involves keeping comprehensive records of when and how consent was given or withdrawn. These records should be easily accessible for audits and updated whenever users modify their consent preferences.

Compliance records should include details such as:

  • who provided consent
  • date and time they consented.
  • method by which they provided consent.
  • information provided to them at the time of obtaining consent
  • if they have withdrawn consent, then the date and time they did so

Additionally, retention periods for each data category should be documented, along with descriptions of the security measures in place to protect the data.

4. Create a detailed privacy policy and legal notice

Organizations must publish both a privacy policy and a legal notice that follow the provisions and include all required information as stipulated by the guidelines. Ensure that the privacy policy is updated if there are any changes in purposes, retention periods, categories of data, third-party recipients, or other relevant factors. The privacy policy should be linked to from an easily accessible place, such as the website footer and cookie banner, to ensure users can easily find and review it.

The legal notice must also contain the minimum required information under the guidelines and provide clear links to the privacy policy where relevant.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.