I) Duty of Information
The Section 22.2 of the Spanish Act on Information Society Services (hereinafter LSSI) states that users must be provided with clear and complete information on the use of storage devices and data recovery that may allow the user to understand the purpose for which they were installed and the uses that will be given to such devise; and more specifically, the user must be duly informed about the data processing pursuant to the Law on Personal Data Protection. This involves accordingly the necessary information to revoke the consent and deleting cookies permanently in a user-accessible way.
In order to ensure adequate information, two requirements are established by the Judgment 15/2011 of the article 29 Working Group:
- The quality of the information provided (appropriate language according to each recipient)
- Accessibility and visibility of the information (link format different from the texts of the web, positioning, and text descriptive name).
In order to provide this information, the guide points out different systems, the most common being:
- The provision of information through a visible header bar or footer.
- Information by layers: the system shows in the first layer essential information on cookies at the time of accessing the web and a second layer, which would include more detailed information.
- Through browser settings.
- During the process of configuring the operation of the website or application.
II) Obtaining consent
- Obtaining Consent This consent may be obtained by different specific formulas or by some behavior / positive action by the user, when this has all the information, but in this case, it is more difficult. It is therefore necessary that the consent has been accordingly informed. In any case the mere user inactivity does not imply consent provision by itself.
- Who provides consent? The consent must be given by the recipient of the service, which is the natural or corporate person who uses, whether or not, for professional reasons, a service of the Information Society.
- Methods for obtaining consent. The conditions shall depend on the type of cookies to be installed, its purpose and the ownership whether if these belong to the interested party or they belong to third parties. It it´s also necessary to state if the consent lends only to the website of the same publisher or others related with the editor.
- When is it possible for the cookies to be installed? The installation of the cookies must be at the same moment when the user has received all the information about cookies as well as the method to obtain consent using the procedures shown, so the user may decide whether to allow the deployment of these devices or not.
- Obtaining the consent when a publisher provides services through different websites An editor that provides services in different websites, may inform and obtaining consent for the installation of cookies from just one single website which may send such information to the rest of the websites, providing always that such websites share the ownership and offer similar content.
- Possibility to deny access to the service in the event of rejection of cookies. It is possible to deny the access to the service, providing always that such refusal does not prevent the exercise of a legal right to the user for accessing this website or in such cases when the website is the only mean to execute a certain right (e.g. deregistration from a telephone service).