The document analyses the need to obtain the user’s informed consent before installing cookies, including both the obligation of transparency in the information and the consent itself, bearing in mind stricter requirements for the new data protection regulations.

Spanish Data Protection Agency (AEPD) and Adigital, Advertisers, Autocontrol and IAB Spain Associations have presented the Cookie Usage Guide, updated to the new regulations

The Guide includes the guidelines, guarantees and obligations that the industry must apply to use both cookies and similar technologies (fingerprint and others) in compliance with current legislation

The solutions proposed in the guide are intended to provide guidance on how to comply the obligations set out in the second paragraph of Article 22 of Law 34/2002, of 11 July on Information Society Services and Electronic Commerce (LSSI), in relation to the General Regulation on Data Protection (RGPD) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD) .

In addition, the European Parliament and Council are negociating the Proposal for a Regulation on respect for privacy and the protection of personal data in the electronic communications sector (ePrivacy Regulation), with the objectives of increasing the levels of protection of electronic communications and boosting comercial opportunities, which is expected to be adopted in 2020.

The main elements and obligations of the Guide for the use of cookies and other data storage and retrieval devices on computers are indicated below.

  • Regarding transparency when offering information about cookies, the Guide determines that the information must be concise, transparent and intelligible, using clear and simple language, avoiding the use of confusing or generic phrases
  • The information offered to users about cookies must be sufficiently complete to allow understanding their purposes and the use that will be given to them.
  • When giving consent for the use of cookies, the Guide promotes information by layers, or privacy notices by levels, to ensure that the information is easily accessible. The Guide also clarifies that this information must be provided before the use or installation of cookies through a visible format, and that it must be maintained until the user performs the required action to grant consent or refuse the installation.

In the first layer, the following information will be provided

  • Identification of the publisher responsible for the website.
  • Identification of the purposes of the cookies to be used.
  • Information about whether cookies are own or from third parties.
  • Generic information about the type of data collected and used in case of elaborating user profiles.
  • The way in which the user can accept, configure and reject the use of cookies.
  • A clearly visible link to the 2nd layer that includes more detailed information, which can be used to lead the user to the cookie settings panel.
The Guide provides examples of the information to be entered in the second layer:
  • Definition and generic function of cookies. Information about the type of cookies used and their purpose.
  • Identification of who uses cookies.
  • Information about how to accept, deny, revoke consent or delete cookies. Where appropriate, information on data transfers to third countries.
  • Information on profiling.
  • Data retention period.
  • As examples of a valid way to obtain consent, the Guide includes the options to accept, reject or configure cookies. The option of “keep browsing” is accepted as valid for obtaining consent after having informed about it.
  • There is also a section on updating the consent in which it is highlighted as good practice that its validity for the use of a certain cookie does not last longer than 24 months and, during this time, the selection made is preserved by the user about their preferences, without being asked for a new consent every time they visit the page.
  • Finally, remember that there are a number of cookies with the purpose of only allowing communication between the user’s equipment and the network, or providing a service requested by the user (technical cookies), which are excluded from the scope of the application regulations and on which it is not necessary to inform or obtain consent about its use. However, for reasons of transparency, the AEPD recommends reporting its use and includes the following example of an information clause: “This website uses cookies that allow the operation and provision of the services offered therein.