The Spanish Data Protection Agency (hereinafter AGPD), in collaboration with industry-related representatives released last April 29th, 2013, a Practical Guide on the use of cookies, in order to achieve greater legal certainty within the duty to inform the user and obtaining consent from the service providers.

The guide focuses on the scope of Section 22.2 of Act 34/2002 dated July 11th, on information society and e-commerce services. Such Section refers to the refers to the use of cookies1 or similar technologies (LSO or Flash cookies, etc.) which are intended to store and retrieving data from a computer (PC, tablet, mobile phone, etc.) whether of a natural or corporate person that uses a service part of the information society and poses a number of issues and obligations that are detailed hereinbelow.

I) Duty of Information

The Section 22.2 of the Spanish Act on Information Society Services (hereinafter LSSI) states that users must be provided with clear and complete information on the use of storage devices and data recovery that may allow the user to understand the purpose for which they were installed and the uses that will be given to such devise; and more specifically, the user must be duly informed about the data processing pursuant to the Law on Personal Data Protection. This involves accordingly the necessary information to revoke the consent and deleting cookies permanently in a user-accessible way.

In order to ensure adequate information, two requirements are established by the Judgment 15/2011 of the article 29 Working Group:

  • The quality of the information provided (appropriate language according to each recipient)
  • Accessibility and visibility of the information (link format different from the texts of the web, positioning, and text descriptive name).

In order to provide this information, the guide points out different systems, the most common being:

  1. The provision of information through a visible header bar or footer.
  2. Upon request of registration of a service or a download of an application, this information may be supplied together with the privacy policy or terms and conditions of use. It is important to note that users already registered on a website, must be informed about the changes made regarding the treatment of cookies and its tacit acceptance in the event that they continue using the service.
  3. Information by layers: the system shows in the first layer essential information on cookies at the time of accessing the web and a second layer, which would include more detailed information.
  4. Through browser settings.
  5. During the process of configuring the operation of the website or application.

II) Obtaining consent

  1. Obtaining Consent This consent may be obtained by different specific formulas or by some behavior / positive action by the user, when this has all the information, but in this case, it is more difficult. It is therefore necessary that the consent has been accordingly informed. In any case the mere user inactivity does not imply consent provision by itself.
  2. Who provides consent? The consent must be given by the recipient of the service, which is the natural or corporate person who uses, whether or not, for professional reasons, a service of the Information Society.
  3. Methods for obtaining consent. The conditions shall depend on the type of cookies to be installed, its purpose and the ownership whether if these belong to the interested party or they belong to third parties. It it´s also necessary to state if the consent lends only to the website of the same publisher or others related with the editor.
  4. When is it possible for the cookies to be installed? The installation of the cookies must be at the same moment when the user has received all the information about cookies as well as the method to obtain consent using the procedures shown, so the user may decide whether to allow the deployment of these devices or not.
  5. Obtaining the consent when a publisher provides services through different websites An editor that provides services in different websites, may inform and obtaining consent for the installation of cookies from just one single website which may send such information to the rest of the websites, providing always that such websites share the ownership and offer similar content.
  6. Changes in the use of cookies. If consent has been duly achieved from a user, it is not necessary to get it again each time the user visits the page. However, it must be obtained again if the purpose of using cookies changes once the consent has been obtained.
  7. Possibility to deny access to the service in the event of rejection of cookies. It is possible to deny the access to the service, providing always that such refusal does not prevent the exercise of a legal right to the user for accessing this website or in such cases when the website is the only mean to execute a certain right (e.g. deregistration from a telephone service).