A Guide to the Spanish Cookie Guidance
By Gonzalo Erro and Álvaro Del Hoyo Manene
This article provides key points from the "Guía sobre el uso de las cookies,” or the Spanish cookie guidance, released on April 29 by the Spanish Data Protection Authority (AEPD) and Anunciantes, AutoControl, ADigital and IAB Spain, representatives of the industry.
Origins, Premises and Motivations
A long time has passed since the 13th of July 2001 when an amendment led to what finally became Article 5 Paragraph 3 of Directive 2002/58/EC, the first online tracking regulation.
Since then, online advertising has been demonstrating its growing efficiency and reach when compared to traditional advertising means such as television, newspapers and magazines. Concerns regarding the privacy implications of online advertising have increased at the same pace, so that despite uncoordinated industry members’ own efforts to offer a solution, in 2007 emerged the Do-Not-Track initiative in the U.S., and in Europe arose review of Article 5 Directive 2002/58/EC.
Finally, as a result of legislative procedure that concluded on Directive 2009/136/EC approval, Article 5.3 of Directive 2002/58/EC was amended with two goals: extending its applicability on the ways of storing and gaining access to information on subscriber and user equipment, and requiring that the subscriber or user concerned has given his or her consent instead of just having been provided with clear and comprehensive information.
Whether subscriber or user consent should be implicit or explicit is not a specific issue among European Union Member States, and it is an important issue for the industry players who must understand how and when it is possible to store information or access information on subscriber and user equipments. It varies from some member states to others and has important consequences in usability and economic terms.
Spanish Cookies Guide
Directive 2002/58/EC Article 5.3, as amended by Directive 2009/136/EC, was transponded into Article 22.2 Spanish Law 34/2002 Information Society Services and Electronic Commerce (LSSICE).
The guide contains recommendations and guidance on how to satisfy the requirements of Art. 22 of LSSICE, exclusively focused on cookies or http cookies and flash cookies, and not in the quite broad list of other tracking means such as Silverlight isolated storage, Internet Explorer userData Storage, HTML5 storage, http ETags, history sniffing, window.name caching, HTML5 canvas caching, http authentication or device fingerprinting.
The guide comprehends a set of orientations, guarantees and obligations that the industry commits to spread and apply. It does not have the force of law. The AEPD will not take enforcement action over a failure to adopt good practice or to act on the recommendations set out in this guide unless this in itself constitutes a breach of the privacy regulations, mainly the Organic Law 15/1999, on the Protection of Personal Data (LOPD) and the Royal Decree 1720/2007, which approves the regulation on the protection of personal data (RLOPD).
The guide is focused on cookies and other similar means to store and gain access to data stored on subscriber and user equipments—“such as local shared objects, flash cookies, etc.”–no matter if they are computers, mobile phones or tablets. They do not mention others such as smart TVs being used by natural persons or legal entities when using information society services.
Following LSSICE, certain kind of cookies are exempted from the guide: those necessary for carrying out or technically facilitating the transmission of a communication over an electronic communications network and those strictly necessary in order to provide an information society service explicitly requested by the recipient
Who Should Comply?
The guide distinguishes between:
- First Party Cookies - The website editor is responsible for notifying about the purpose of data processing and for obtaining user consent
- Third Party Cookies - In this case, both the website editor and the third party are jointly responsible for notifying about the purpose of data processing and for obtaining user consent.
Key Legal Principles
The guide establishes several options to meet the two main legal requirements set by law: the duty to inform and consent.
Duty to Inform - Article 22.2 of the LSSICE states that the information provided to users about cookies must be "clear and complete." The guide advises how to comply, taking into account:
- Information to be provided: Usage of cookies and purposes of their processing, ways to opt out and eliminate cookies, and ways to manage cookies and permissions to usage them
- How to provide the information: Choosing language and content of information considering an average user, considering that nowadays they lack knowledge regarding cookies, taking into account web design and functioning, and usability and visibility issues such as format, location, size of links and other technique
- Ways to inform:
- Information on links provided on web upper side or at the bottom;
- Information links easy to view when logging in or before accessing a service or downloading and application;
- Traditional offline methods, or
- Layered approach, first, notifying cookies presence, their purpose, if they are first or third-party cookies, that a particular action will mean users provide their consent and link to second layer of information. Second layer of information should provide information in detail describing the cookies and their purposes, their kind and purposes, how to deactivate or eliminate them and if they are first party or third-party cookies.
- Consent – To previously obtain the consent from the user is mandatory to install and manage a cookie. The guide confirms that consent might be obtained by explicit formulas, such as when configuring a web site, by means of specific configuration of browser or add-ons, and clicking on a specific section saying “I agree”, “I accept” or other similar formulas, or even implied or deduced from actions performed by the user; i.e., scrolling down, clicking on website link. But for both explicit and implied consent to be valid, it is necessary that the user has been informed previously. The guide also includes the right of users to receive information on how to disable or delete cookies and how to withdraw the consent previously given.
- Cookies installation – Only after a user has been previously and fully informed, consent has been granted by any of the ways explained above and taking into account that mere user inactivity should never imply consent.
- Changes – As long as consent has been gathered in a valid way, there is no need to inform again any time a user is coming back to the website, unless changes have been deployed. Information regarding any changes should be provided to users to inform and acquire their consent accordingly. This implies a regular review process of present cookies, related information policies and consent gathering, including the generation and retention of electronic evidences of information provision and granted consent.
Gonzalo Erro, CIPP/E, CIPP/ IT, works as a client data protection architect at Accenture. He can be reached at email@example.com.
Álvaro Del Hoyo, CIPP/IT, is a business development manager for telco, internet, media and entertainment industries in S21sec, a Spanish multinational exclusively focused on information security. He can be reached at firstname.lastname@example.org.