The document analyses the need to obtain the user’s informed consent before installing cookies, including both the obligation of transparency in the information and the consent itself, bearing in mind stricter requirements for the new data protection regulations.
Spanish Data Protection Agency (AEPD) and Adigital, Advertisers, Autocontrol and IAB Spain Associations have presented the Cookie Usage Guide, updated to the new regulations
The Guide includes the guidelines, guarantees and obligations that the industry must apply to use both cookies and similar technologies (fingerprint and others) in compliance with current legislation
The solutions proposed in the guide are intended to provide guidance on how to comply the obligations set out in the second paragraph of Article 22 of Law 34/2002, of 11 July on Information Society Services and Electronic Commerce (LSSI), in relation to the General Regulation on Data Protection (RGPD) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD) .
In addition, the European Parliament and Council are negociating the Proposal for a Regulation on respect for privacy and the protection of personal data in the electronic communications sector (ePrivacy Regulation), with the objectives of increasing the levels of protection of electronic communications and boosting comercial opportunities, which is expected to be adopted in 2020.
- Regarding transparency when offering information about cookies, the Guide determines that the information must be concise, transparent and intelligible, using clear and simple language, avoiding the use of confusing or generic phrases
- The information offered to users about cookies must be sufficiently complete to allow understanding their purposes and the use that will be given to them.
In the first layer, the following information will be provided
- Identification of the publisher responsible for the website.
- Identification of the purposes of the cookies to be used.
- Information about whether cookies are own or from third parties.
- Generic information about the type of data collected and used in case of elaborating user profiles.
- A clearly visible link to the 2nd layer that includes more detailed information, which can be used to lead the user to the cookie settings panel.
The Guide provides examples of the information to be entered in the second layer:
- Definition and generic function of cookies. Information about the type of cookies used and their purpose.
- Information about how to accept, deny, revoke consent or delete cookies. Where appropriate, information on data transfers to third countries.
- Information on profiling.
- Data retention period.
- As examples of a valid way to obtain consent, the Guide includes the options to accept, reject or configure cookies. The option of “keep browsing” is accepted as valid for obtaining consent after having informed about it.
- There is also a section on updating the consent in which it is highlighted as good practice that its validity for the use of a certain cookie does not last longer than 24 months and, during this time, the selection made is preserved by the user about their preferences, without being asked for a new consent every time they visit the page.