On April 26th, the Spanish Data Protection Agency (“SDPA”) issued its long-awaited guidance on the Spanish cookies regulation, which requires companies seeking to place cookies on users’ devices to obtain those users’ prior opt-in consent after providing them with clear and complete information about the use of cookies and the purposes for which data collected via cookies will be processed.  The guidance, which the SDPA drafted in collaboration with industry, takes a business-oriented approach and provides companies with several alternatives for complying with the regulation’s notice and consent requirements. 

The cookies regulation is set forth in Article 22.2 of Act 34/2002 on Information Society Services and Electronic Commerce, which was amended by the Royal Decree Law 13/2012 in 2012 to implement the EU e-Privacy Directive in Spain.

Notice

In the guidance, the SDPA sets forth a number of different ways that notice can be provided to users, including by providing the requisite information to users in two steps or layers. In the “first layer”, users accessing a website would be informed, through a banner, of the fact that the website uses cookies, the purposes for which cookies are installed on users’ devices, whether cookies belong to the website owner or to a third party, and the specific action that would constitute consent to the use of cookies.  The “first layer” would also include a link to the “second layer” (i.e., the “cookies policy”), which would contain more detailed information about the use of cookies.

Consent

The SDPA states in the guidance that implied consent may constitute valid consent to the use of cookies. However, the SDPA clarifies that silence or inaction does not constitute valid consent. Rather, a user must perform a conscious and positive action in order to provide his/her consent. Examples of such an action include clicking on any content on the website or using the scroll bar within the website. In any event, as noted above, in order for an action to constitute consent, users must be informed that by performing such an action they are consenting to the use of cookies.

The SDPA also states in the guidance that a company may obtain consent from users not only for the use of cookies on the website on which such consent is requested, but also for the use of cookies on similar websites operated by that company.

Third Party Cookies

Finally, the guidance examines situations in which websites use cookies that belong to a third party (i.e., third party cookies). With respect to third party cookies, the SDPA states that both the website owner and the third party controlling the cookie are responsible for complying with the cookies regulation (e.g., providing notice and obtaining consent).

Enforcement

Following the release of the guidance on the cookies regulation, it is likely that the SDPA will pay greater attention to companies’ policies and procedures regarding the use of cookies. Therefore, companies should review their cookies-related policies and procedures in order to ensure they are consistent with the criteria set forth by the SDPA in the guidance.