Download the PDF with a summary table.

Last Friday, 8 November 2019, the Spanish Data Protection Agency (“AEPD”) published the new Guide on the use of cookies, with the aim of updating its criteria for the appropriate use of cookies to the requirements of the GDPR and the current cookie technology and cookie-management tools.

This Article has been drafted with the purpose of summarising the obligations derived from the Guide on the use of cookies and must be construed in addition to the recent judicial and administrative case-law laying down tips and criteria for an appropriate use of cookies which we have already analysed in our Informative Note of 14 October 2019.

(I) Cookies exempted from the requirement of informed consent

First, the AEPD lays down the exact scope of Article 22.2 of the Spanish Information Society Services Act (“ISSA”), derived from Article 5.3 of Directive 2002/58/EC, whereby cookies can only be used with the informed consent of the user. The AEPD adheres to the Article 29 Working Party’s Opinion 04/2012 on Cookie Consent Exemption to determine that a cookie (i) used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or (ii) strictly necessary to provide a service which has been explicitly requested by the user will not fall within the scope of application of Article 22.2 and hence may be used without informing the user or obtaining his or her consent.

(II) Information to be provided

Article 22.2 ISSA specifies that, prior to requesting his or her consent, the user must obtain clear and complete information about the use of cookies and, where appropriate, about the processing of his or her personal data in accordance with the regulations on personal data protection. This indicates that the user should be able to understand the mechanism and purposes of the cookies used though a website.
As information must be given in a first stage for the consent to be valid, the AEPD recommends to display it in two layers, so that the essential details on the use of cookies will automatically appear within a banner or within a consent management platform (“CMP”) as soon as the user enters the website, while further information can be found in a second layer (“cookie policy”) to which the user can access voluntarily.

The first layer shall include the following details:

  1. Identity of the publisher of the website (just a name or trademark; a registered company name shall not be necessary as this information will be available in the second layer);
  2. The purposes for which the cookies will be used;
  3. Indication as to whether the cookies will be used only by the publisher (first-party cookies) or also by third parties (third-party cookies)
  4. Generic information on the type of data used for advertising purposes, where appropriate;
  5. The way the user will be able to consent or reject the use of cookies (the conditions for obtaining consent are explained below);
  6. A clearly visible link to the cookie policy.

As for the second layer or cookie policy, it must be easily and permanently accessible from any section of the website and gather the information necessary for the average user of the website to understand how cookies work and for what purposes they will be installed, together with all the information required by Article 13 of Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”) in the event that personal data are being collected.

(III) Conditions for consent

The AEPD reminds that under Article 4 GDPR a valid consent to one specific purpose must be given by means of a clear affirmative action performed by the user in full awareness of the consequences of such action. Moreover, it must be as easy to withdraw as to give consent. Additionally, no cookie may be installed on user’s device before his or her prior validly given consent.

In consideration thereof, the user must be given the chance to accept or reject all cookies or to select the specific purposes for which cookies may be installed.

Also, the user may be informed that he or she can accept the cookies by just continuing to browse the website, as long as he or she can withdraw consent as easily as he or she consented through granular consent approach. In no case access to the second layer may be deemed as an acceptance to the use of cookies.

(IV) Consent management platforms

The Guide highly recommends the use of CMP’s to demonstrate compliance with the duty to obtain a valid informed consent from the user.
A CMP allows the user to select the purposes for which cookies may be installed, as well as to access through links to further information directly provided by the managers of the different cookies.

(V) Conditions applicable to child’s consent

For websites where the average users are under-fourteens, a publisher shall be required to apply an additional effort to verify that consent of the user is given by his or her parents or legal guardians. Further, it shall be kept in mind the need to strengthen the data protection guarantees of the users, specially in relation to the data minimisation principle.
For example, the AEPD states that if a website obtains data solely for analytical purposes, a valid consent may be obtained by installing a prior warning which informs the user of the need to ask his or her parents or guardians to give consent on his or her behalf.

(VI) Possibility to deny access if consent is not given

Access to a website may be denied to a user who does not consent to the use of cookies (including advertising cookies) provided that denial does not prevent the exercise of a right.
(VII) Responsibility
The AEPD considers that Article 22.2 of ISSA does not define who shall be responsible for informing and obtaining consent. Thus, it esteems that both the publisher and those third parties managing cookies as data controllers shall coordinate to comply with these tasks.

Notwithstanding the above, if a publisher uses a CMP which allows said third parties to directly inform the users and record consents, then the third parties will be individually responsible for informing and obtaining consent.

The AEPD reminds that some entities which create and manage their own cookies, such as media agencies or trading desks, will usually use their cookies on behalf of several advertisers as data processors; thus, a misuse of cookies by that processor will lead to independent liabilities of these advertisers. There is no way to transfer that responsibility from the controller to the processor before a supervisory authority, though a comprehensive set of contractual guarantees and obligations may require the processor to compensate the controller for any sanctions, damages or injunctive relief arising from a wrongful use of the processor’s cookies.

Download the PDF with a summary table.