(I) Cookies exempted from the requirement of informed consent
First, the AEPD lays down the exact scope of Article 22.2 of the Spanish Information Society Services Act (“ISSA”), derived from Article 5.3 of Directive 2002/58/EC, whereby cookies can only be used with the informed consent of the user. The AEPD adheres to the Article 29 Working Party’s Opinion 04/2012 on Cookie Consent Exemption to determine that a cookie (i) used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or (ii) strictly necessary to provide a service which has been explicitly requested by the user will not fall within the scope of application of Article 22.2 and hence may be used without informing the user or obtaining his or her consent.
(II) Information to be provided
The first layer shall include the following details:
- Identity of the publisher of the website (just a name or trademark; a registered company name shall not be necessary as this information will be available in the second layer);
- The purposes for which the cookies will be used;
- Indication as to whether the cookies will be used only by the publisher (first-party cookies) or also by third parties (third-party cookies)
- Generic information on the type of data used for advertising purposes, where appropriate;
(III) Conditions for consent
The AEPD reminds that under Article 4 GDPR a valid consent to one specific purpose must be given by means of a clear affirmative action performed by the user in full awareness of the consequences of such action. Moreover, it must be as easy to withdraw as to give consent. Additionally, no cookie may be installed on user’s device before his or her prior validly given consent.
In consideration thereof, the user must be given the chance to accept or reject all cookies or to select the specific purposes for which cookies may be installed.
(IV) Consent management platforms
The Guide highly recommends the use of CMP’s to demonstrate compliance with the duty to obtain a valid informed consent from the user.
A CMP allows the user to select the purposes for which cookies may be installed, as well as to access through links to further information directly provided by the managers of the different cookies.
(V) Conditions applicable to child’s consent
For websites where the average users are under-fourteens, a publisher shall be required to apply an additional effort to verify that consent of the user is given by his or her parents or legal guardians. Further, it shall be kept in mind the need to strengthen the data protection guarantees of the users, specially in relation to the data minimisation principle.
For example, the AEPD states that if a website obtains data solely for analytical purposes, a valid consent may be obtained by installing a prior warning which informs the user of the need to ask his or her parents or guardians to give consent on his or her behalf.
(VI) Possibility to deny access if consent is not given
The AEPD considers that Article 22.2 of ISSA does not define who shall be responsible for informing and obtaining consent. Thus, it esteems that both the publisher and those third parties managing cookies as data controllers shall coordinate to comply with these tasks.
Notwithstanding the above, if a publisher uses a CMP which allows said third parties to directly inform the users and record consents, then the third parties will be individually responsible for informing and obtaining consent.