The Spanish data protection authority, the AEPD, has issued the first European cookie fine for the violation of Article 22.2 of Spain’s Information Society Services and Electronic Communications Law 34/2002 (Spanish E-Commerce Act), as amended by Royal Decree Law 13/2012 which implements the e-Privacy Directive (Directive 2002/58).
- In the heading or foot page of the website
- Through the website Terms & Conditions
- Through a banner which offers information in a layered approach
- Second layer: link to a cookies policy with more detailed information on cookie use, specifically the definition and function of each cookie, information about the types of cookies used, information about how to delete cookies and identification of all parties who place cookies
The Cookies Guide also clarifies the way in which consent to cookies must be obtained. This includes:
- Configuration of browser functions
- Feature led when a website offers a new function
- Download of specific website content
- Configuration of website functions
Implied consent can only be deemed from a user’s specific action, as opposed to inactivity, such as the use of a scroll bar in the vicinity of where cookies information was highly visible, or otherwise clicking on website content.
The AEPD’s landmark decision has resulted in the first EU cookie fine being issued, and could well set the precedent for further penalties in the future for website operators with slack cookie practices.