Spanish Data Protection Authority Issues Guidelines on Use of Cookies

The Spanish data protection authority ("AEPD") has published guidelines on the use of cookies. The guidelines were drafted with the help of leading organizations in the marketing and online advertising industries, including IAB Spain.

In accordance with the latest decision by the European Court of Justice ("ECJ") in the case of Planet49 (see our related update), the AEPD guidelines require website operators to obtain active and informed consent from their users prior to the placement of cookies on their terminal devices. Cookies, which are necessary for the service requested by the users and technical cookies enabling communication between the user's terminal and the network, are exempted from requiring consent. However, the AEPD recommends providing users with general information as to the use of such cookies.

These guidelines also present the minimum information that websites must provide to their users in order to obtain informed consent. In this regard, the guidelines require that the information provided, will be concise, transparent, clear and intelligible, avoiding the use of confusing and complicated language. For example, using expression such as "we may use cookies to improve the browsing in the website" will not be considered as being compliant. The AEPD enables website operators to divide the information into two layers of policies, with the second layer intended to provide further information to users.

Unlike the guidelines issued by its United Kingdom and French Counterparts (ICO and CNIL respectively), the AEPD explicitly recognizes, in certain circumstances, the "continue browsing" mechanism as valid active consent as long as the user has been given adequate notice. According to the AEPD, the notice must be displayed in a clear and visible place, taking into account its shape, color, size and location to ensure the notice has not gone unnoticed and to overcome the unambiguous consent requirement raised by the ECJ. Actions, such as the use of a scroll bar, clicking on links in the website and swiping the initial screen, may be considered valid and affirmative consent if the relevant information was provided to users.

The guidelines also analyze the use of Consent Management Platforms, minor's consent, the option of denying access where consent was not granted and the need for renewal of consent. The AEPD requires that consents be renewed at least once in every 24 months.