Spanish AEPD Cookie Guidelines: The Ultimate Guide
In anticipation of the GDPR, the Spanish AEPD issued cookie guidelines to help businesses get ready for compliance.
The GDPR – General Data Protection Regulation – is the European set of data security rules that went into effect in May 2018.
What is the AEPD?
AEPD is short for “Spanish Agency for Data Protection.” Their role is to guarantee that Spaniards follow European law and the LOPD-GDD – Organic Law of Protection of Personal Data and Guarantee of Digital Rights.
The AEPD is informative and instructive in nature. On their website, they have a total of 66 guides, some of which are also available in English.
In addition, tools, videos, and other mechanisms for implementing compliance solutions are available to the user.
What are the AEPD Guidelines?
The AEPD published three guidelines in 2017 to help people, particularly Small and Medium Enterprises (SMEs), in dealing with the necessary preparations for data protection compliance.
These guides have been updated and new ones have been added to the list until 2020.
AEPD - GDPR GUIDELINES FOR SPANISH SMEs
What is WP29?
WP29 stands for “Article 29 Working Group”, an independent working party that dealt with issues relating to privacy and personal data protection and was replaced by the European Data Protection Board, EDPB, after the GDPR went into effect. WP29 was comprised of a representative from each EU Member State's data protection authority, the European Data Protection Supervisor, and the European Commission. It was introduced in 1996.
What is EDPB?
The European Data Protection Board (EDPB) is an independent organization that ensures that the GDPR is consistently applied in the European Union (EU), as well as Norway, Liechtenstein, and Iceland.
They also encourage cooperation among the EU states' data protection authorities.
What is LSSI?
LSSI is an acronym for the Law of the Society of Information Services and Electronic Commerce of Spain, also known as LSSICE.
What are cookies, and which are exempt from the law?
Cookies are text files that are housed in the user’s computer when they visit a website. They are used to collect data.
According to the LSSI article, "Service providers may use data storage and retrieval devices in the terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13th, on the Protection of Personal Data”.
Some cookies are exempt from the provisions of Article 22.2 of the LSSI and do not require consent to be used. They are as follows:
- "User input" cookies.
- User authentication or identification cookies (session only).
- User security cookies.
- Media player session cookies.
- Session cookies to balance the load.
- Cookies for customizing the user interface.
- Certain add-on cookies (plug-ins) to exchange social content.
What kinds of cookies do websites use?
- First-party vs. Third-party cookies
When a user requests a service, the editor sends first-party cookies.
Third-party cookies are sent by a computer or domain that is not managed by the publisher, but rather by another entity that processes the data obtained.
- Session vs. Persistent
Session cookies collect and store data while a user navigates a website and then expire at the end of the session.
Persistent cookies are stored in the terminal and can be accessed and processed for a set period of time, which can range from a few minutes to several years.
- Technical cookies.
They allow the user to navigate through a web page, platform, or application and use the various options or services available. Cookies are used for a variety of purposes, including controlling traffic and data communication, identifying the session, and accessing restricted access parts, among others.
This category also includes cookies used to manage advertising spaces. These cookies are exempt from all obligations when they are used exclusively to provide the service requested by the user.
- Preference or customization cookies
They allow a personalized user experience in a website by remembering options and choices such as language, filters, etc.
When the user chooses these characteristics, they are exempt from the obligations of Article 22.2 of the LSSI.
- Analysis or measurement cookies
They enable someone to quantitatively monitor and analyze the website's user behavior.
According to the WP29, they are not exempt from the duty to obtain informed consent for their use, but they are unlikely to pose a privacy risk when they are first-party cookies.
- Behavioral advertising cookies
These are the ones that collect information about user behavior through continuous monitoring of their browsing habits, allowing for the delivery of personalized advertisements.
What and how should users be informed about cookies?
Users should be informed about:
- Cookie definition, type, generic function, and purpose.
- How to accept, deny, or revoke consent.
- Where appropriate, information on data transfers to third countries made by the editor.
- When profiling involves automated decision-making that has legal consequences for the user or has a similar impact on them.
- Period of data conservation for the different purposes established in GDPR article 13.2a.
Users must be informed in a concise, understandable, clear, and unambiguous manner.
During consent collection, this information cannot be more than two clicks away from the first page. The main information is to be provided in two layers, the main layer and a detailed, optional layer, in a clearly visible notice.
How to obtain consent?
The most appropriate method of obtaining consent will be determined by the type of cookies, their purpose, and whether they are your own or those of third parties.
It is necessary to inform the user if data will be shared with other web pages of the same publisher or even with third parties associated with the publisher.
Some of the mechanisms that can be used to obtain consent are as follows:
- When requesting a service discharge.
- During the process of configuring the website's or application's operation.
- Through consent management platforms (CMP).
- Before the moment when a service or application is offered.
- Through the layered information format.
- Through browser settings.
What does an AEPD compliant cookie banner look like?
According to the Spanish DPA cookie guidelines, information can be provided in two layers. The first layer must be identified by a generally used term, such as “cookies”, and must contain the following information:
- Identification of the purposes of the cookies used on the website.
- Information on whether such cookies are solely the website manager's cookies or whether third-party cookies are also used.
- General information on the types of data that will be collected and used if user profiling is used (for example, when behavioral advertising cookies are used).
- The manner in which users can accept, set up, and reject cookie use, including a warning that if they proceed with certain actions, it will be assumed that users accept cookie use.
The AEPD cookie guidelines provide the following examples of compliant cookie banners:
It is stated that cookies (analytics and behavioral advertising cookies) are used by both the website editor and third parties, and a link is provided for users to learn more about the cookies, which also directs the user to the cookie setup panel. Besides, when users click the "Accept Cookies" button, explicit user consent is obtained. If the user does not click the "Accept Cookies" button, cookies are not being set. As a result, if users continue to browse without clicking "Accept Cookies," cookies are disabled.
It is provided that cookies are set by both the website editor and a third party (analytics and advertising cookies). A link is provided to take the user to the second layer, which contains more detailed information about cookies. The manner through which a user can accept or reject cookies is also specified. A link to cookie configuration is already available.
The websites listed below are examples of Spanish websites that adhere to the aforementioned DPA rules.
How to obtain consent from children under the age of 14?
The WP29 advises organizations to avoid creating profiles of children for marketing purposes in general.
For websites or online services aimed specifically at minors, extra care must be taken to ensure that the language used is simple and clear.
In the case of minors under 14 years of age, the data controller must ensure that the holder of parental authority or guardianship has given consent for the processing of personal data.
As a result, the level of risk associated with cookie use should be considered. The lower the risk, the simpler the verification system that can be implemented.
For example, in the case of a website aimed at minors who did not register, and if their device and navigation data are only used for analytical purposes, the holder of parental authority or guardianship could be obtained through warning or call directed to the minor. The first information layer should state that “if you are under 14 years of age, notify your father, mother, or guardian to accept, configure, or reject cookies before continuing browsing”.
When cookies are used to store data about users or their terminal for experience customization and no profile of the minor is created, additional precautions should be taken to verify that consent was given or authorized by the holder of parental authority or guardianship.
The editors may use any reasonable verification formula to ensure that the person with parental authority or guardianship is the one who gives consent, not the minor under fourteen years of age (for example, questions or captchas).
Higher-risk uses may necessitate additional information from parents or guardians for verification (for example, a contact email to which the editor can send an email to verify acceptance by the minor's parents or guardian).
Obtaining cookie consent when an editor provides services through different pages
Users have to be informed about the web pages or domains to which cookies will be sent, the type of cookies, and the purposes for which they will be processed.
If a publisher provides services with distinct characteristics, additional safeguards must be taken.
Do I need to get consent again if I make changes to my cookie usage?
It will not be necessary to obtain consent every time a user visits the same web page where the service is offered.
When should I update the consent?
The EDPB recommends consent renewal at appropriate intervals as best practice. The agency considers it good practice that consent validity be limited to 24 months.
During this time, any preferences selections made by the user should be preserved.
Withdrawal of consent for cookie use
Users must be able to easily and at any time revoke their consent.
Possibility of denial of access to the service in case of rejection of cookies
Because the EDPB guidelines on consent state that it must be freely given, access to services and functionalities must not be conditional on cookie acceptance.
This criterion is particularly important when denying access would prevent the exercise of a legally recognized right.
The website owners will not be required to report on cookie usage:
- As long as they are only used for the website's operation;
- If they are included in the category of exempt cookies.
If cookies are used to create a marketing profile to store data for other commercial purposes, the editor must:
- Mention it clearly;
- Allow access to the cookie configuration panel;
- Allow users to reject cookies while still having access to the website.
Examples of Compliant Cookie Banners
The Spanish DPA, AEPD cookie guidelines reveal which cookie banners are likely to be cookie-compliant.
(Source: AEPD Cookie Guidelines)
(Source: AEPD Cookie Guidelines)
Checklist for compliance with AEPD Guidelines
The checklist below will help you stay in compliance with the AEPD cookie guidelines.
▢ Have a cookie consent banner or another mechanism in place to collect users’ consent for cookies
▢ Inform your users about cookies, their purposes, who uses them, how to reject or withdraw them, the data conservation period, and so on. Provide this information in a concise, understandable, clear, and unambiguous manner.
▢ Ensure that the information you want to provide is no more than two clicks away from the first page. The main information is provided in two layers, the main layer and a detailed, optional layer, in a clearly visible notice.
▢ Do not place cookies before obtaining consent, except for essential cookies. Consent can be obtained by clicking on the "I consent" or "I accept" buttons, or other terms of a similar nature
▢ Keep the user's choice, whether accepting or rejecting, for no more than 24 months
▢ Collect consent for each category of processing
▢ Avoid using cookie walls to be on the safe side
▢ Maintain logs of the user consent choice.
Our detailed GDPR compliance guide
The ultimate guide to GDPR Cookie Consent Compliance
10 Principles of PIPEDA Explained: A Comprehensive Guide to Privacy Compliance with Canada's Data Privacy Law [Updated 2024]
Explore PIPEDA's 10 principles for robust privacy compliance. Learn key concepts, compare global data protection laws, and stay informed on Canadian privacy regulations. Consult our guide today
- Canada PIPEDA
Understanding the New Swiss Federal Act on Data Protection (FADP)
Explore the significant changes brought by Switzerland's New Federal Act on Data Protection (FADP) effective from September 2023. Learn about its impact on businesses, the key differences from GDPR, and essential guidelines for ensuring compliance.
- Europe GDPR
PIPEDA vs GDPR: Key Similarities and Differences Between Canada Personal Information Protection and Electronic Documents Act and EU General Data Protection Regulation
Explore differences between PIPEDA and GDPR, key principles, scope, and compliance. Navigate data protection in Canada and the EU with this comprehensive guide.
- Canada PIPEDA