The Spanish Data Protection Agency (AEPD) has issued guidance on the use of cookies, aimed at addressing the confusion caused following the national implementation of the 2009 amendments to the e-Privacy Directive (Directive 2009/136/EC: the "cookie" directive). The Directive prohibits websites from using cookies and other tracking tools to gather information from users without consent, unless those tools are being used for website "necessary" purposes (which are narrowly defined, but include, for example, cookies used to serve behavioral advertising). The new Spanish guidance has been drafted by the AEPD in consultation with industry associations and provides information on how a user's consent to the use of cookies can be obtained, and how to describe cookie usage to users. The guidance permits companies to provide information on cookies in layers. A first layer containing "essential information" can be provided in a banner that appears when the user initially accesses the website. It should provide basic information about cookies and a link to a second layer that contains more detailed information on the website cookie and/or privacy policy. Consent can be implied, however some sort of action is needed. For example, if the user scrolls through a site where clear information about cookie usage is displayed. 

TIP: Spain has now joined a limited number of EU countries (including UK, Denmark, France and Sweden) that are providing guidance on how to comply with the EU "Cookie" Directive. Companies that host sites in European Member States should remember that they will need consent prior to using "non-necessary" cookies.