On January 24, 2024, the Andorran data protection authority (APDA) updated its guidelines titled 'Use of cookies, privacy policy, and legal notice' (the updated guidelines) to incorporate the European Data Protection Board (EDPB) Guidelines on Deceptive design patterns in social media platform interfaces and Guidelines on Technical scope of Article 5(3) of the ePrivacy Directive.

In accordance with EDPB guidelines, the APDA noted that the updated guidelines highlight:

• the limitation of the storage time of cookies with 25 months being the maximum recommended time;
• the permissibility of the non-acceptance of cookies preventing access to the website;
• conditions for consent of minors under 16; and
• recommendations on the design of cookie banners.

Furthermore, the updated guidelines confirm that not having a reject button or something similar constitutes a breach and that pre-marked boxes in parts where users can customize their choices are not considered as valid consent. Lastly, the APDA mentioned that the legal framework for drafting privacy policies and policies on web trackers is the conditions for consent set out in Articles 7 and 8 of the Law of Personal Data Protection and that failure to comply with these may result in financial administrative sanctions amounting between €30,001 and €100,000.

You can read the press release here and the guidelines here, only available in Catalan.