December 7, 2020

Spanish AEPD Cookie Guidelines: The Ultimate Guide

In anticipation of the GDPR, the Spanish AEPD issued cookie guidelines to help businesses get ready for compliance.

The GDPR – General Data Protection Regulation – is the European set of data security rules that went into effect in May 2018. 

What is the AEPD?

AEPD is short for “Spanish Agency for Data Protection.” Their role is to guarantee that Spaniards follow European law and the LOPD-GDD – Organic Law of Protection of Personal Data and Guarantee of Digital Rights. 

The AEPD is informative and instructive in nature. On their website, they have a total of 66 guides, some of which are also available in English. 

In addition, tools, videos, and other mechanisms for implementing compliance solutions are available to the user.

What are the AEPD Guidelines?

The AEPD published three guidelines in 2017 to help people, particularly Small and Medium Enterprises (SMEs), in dealing with the necessary preparations for data protection compliance. 

These guides have been updated and new ones have been added to the list until 2020.

AEPD - GDPR GUIDELINES FOR SPANISH SMEs

What is WP29?

WP29 stands for “Article 29 Working Group”, an independent working party that dealt with issues relating to privacy and personal data protection and was replaced by the European Data Protection Board, EDPB, after the GDPR went into effect. WP29 was comprised of a representative from each EU Member State's data protection authority, the European Data Protection Supervisor, and the European Commission. It was introduced in 1996.

What is EDPB? 

The European Data Protection Board (EDPB) is an independent organization that ensures that the GDPR is consistently applied in the European Union (EU), as well as Norway, Liechtenstein, and Iceland. 

They also encourage cooperation among the EU states' data protection authorities.

What is LSSI?

LSSI is an acronym for the Law of the Society of Information Services and Electronic Commerce of Spain, also known as LSSICE.

What are cookies, and which are exempt from the law?

Cookies are text files that are housed in the user’s computer when they visit a website. They are used to collect data. 

It is necessary to inform and obtain consent for the use of cookies for both first and third party cookies, whether session or persistent. 

According to the LSSI article, "Service providers may use data storage and retrieval devices in the terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13th, on the Protection of Personal Data”.

Some cookies are exempt from the provisions of Article 22.2 of the LSSI and do not require consent to be used. They are as follows:

  • "User input" cookies.
  • User authentication or identification cookies (session only).
  • User security cookies.
  • Media player session cookies.
  • Session cookies to balance the load.
  • Cookies for customizing the user interface.
  • Certain add-on cookies (plug-ins) to exchange social content.

What kinds of cookies do websites use?

  • First-party vs. Third-party cookies

When a user requests a service, the editor sends first-party cookies. 

Third-party cookies are sent by a computer or domain that is not managed by the publisher, but rather by another entity that processes the data obtained.

  • Session vs. Persistent

Session cookies collect and store data while a user navigates a website and then expire at the end of the session. 

Persistent cookies are stored in the terminal and can be accessed and processed for a set period of time, which can range from a few minutes to several years.

  • Technical cookies. 

They allow the user to navigate through a web page, platform, or application and use the various options or services available. Cookies are used for a variety of purposes, including controlling traffic and data communication, identifying the session, and accessing restricted access parts, among others. 

This category also includes cookies used to manage advertising spaces. These cookies are exempt from all obligations when they are used exclusively to provide the service requested by the user.

  • Preference or customization cookies 

They allow a personalized user experience in a website by remembering options and choices such as language, filters, etc. 

When the user chooses these characteristics, they are exempt from the obligations of Article 22.2 of the LSSI.

  • Analysis or measurement cookies 

They enable someone to quantitatively monitor and analyze the website's user behavior. 

According to the WP29, they are not exempt from the duty to obtain informed consent for their use, but they are unlikely to pose a privacy risk when they are first-party cookies.

  • Behavioral advertising cookies

 These are the ones that collect information about user behavior through continuous monitoring of their browsing habits, allowing for the delivery of personalized advertisements.

What and how should users be informed about cookies?

Users should be informed about:

  • Cookie definition, type, generic function, and purpose.
  • Identification of who uses cookies.
  • How to accept, deny, or revoke consent.
  • Where appropriate, information on data transfers to third countries made by the editor.
  • When profiling involves automated decision-making that has legal consequences for the user or has a similar impact on them.
  • Period of data conservation for the different purposes established in GDPR article 13.2a.

Users must be informed in a concise, understandable, clear, and unambiguous manner. 

During consent collection, this information cannot be more than two clicks away from the first page. The main information is to be provided in two layers, the main layer and a detailed, optional layer, in a clearly visible notice. 

This information may be provided along with the privacy policy when requesting registration for a service or before downloading a service or an application.

Other information required by GDPR article 13 that is unrelated to cookies may be referenced in the privacy policy.

How to obtain consent?

To use cookies that are not exempt from regulation, consent must be obtained. Consent has to be freely given by clicking on “I consent" or "I accept" buttons, or other terms of a similar nature.

Consent can also be obtained by inferring it from a clear action taken by the user after they have been provided with sufficient information about the use of cookies.

The most appropriate method of obtaining consent will be determined by the type of cookies, their purpose, and whether they are your own or those of third parties. 

It is necessary to inform the user if data will be shared with other web pages of the same publisher or even with third parties associated with the publisher.

Some of the mechanisms that can be used to obtain consent are as follows:

  • When requesting a service discharge.
  • During the process of configuring the website's or application's operation.
  • Through consent management platforms (CMP).
  • Before the moment when a service or application is offered.
  • Through the layered information format.
  • Through browser settings.

What does an AEPD compliant cookie banner look like?

According to the Spanish DPA cookie guidelines, information can be provided in two layers. The first layer must be identified by a generally used term, such as “cookies”, and must contain the following information:

  • The identity of the website's owner. It is not necessary to identify the editor by their corporate name when this data is available in other sections of the website (i.e., privacy policy) and their identity can be deduced clearly from the website itself (i.e., when the domain name is the same as the editor name or the trademark by which they are known by the general public). 
  • Identification of the purposes of the cookies used on the website.
  • Information on whether such cookies are solely the website manager's cookies or whether third-party cookies are also used. 
  • General information on the types of data that will be collected and used if user profiling is used (for example, when behavioral advertising cookies are used). 
  • The manner in which users can accept, set up, and reject cookie use, including a warning that if they proceed with certain actions, it will be assumed that users accept cookie use.
  • A clearly visible link to a second informative layer containing more detailed information, such as “Cookies", “Cookie policy” or “Click here for more information". This same link may be used to direct users to the cookie setup panel, as long as such access is done directly (users do not have to browse the second layer of information to locate it).

The AEPD cookie guidelines provide the following examples of compliant cookie banners:

text

It is stated that cookies (analytics and behavioral advertising cookies) are used by both the website editor and third parties, and a link is provided for users to learn more about the cookies, which also directs the user to the cookie setup panel. Besides, when users click the "Accept Cookies" button, explicit user consent is obtained. If the user does not click the "Accept Cookies" button, cookies are not being set. As a result, if users continue to browse without clicking "Accept Cookies," cookies are disabled.

text

It is provided that cookies are set by both the website editor and a third party (analytics and advertising cookies). A link is provided to take the user to the second layer, which contains more detailed information about cookies. The manner through which a user can accept or reject cookies is also specified. A link to cookie configuration is already available.

The websites listed below are examples of Spanish websites that adhere to the aforementioned DPA rules.

text

(Source: www.edelvivesdigital.es)

text

(Source: www.bancosantander.es)

How to obtain consent from children under the age of 14?

The WP29 advises organizations to avoid creating profiles of children for marketing purposes in general.

For websites or online services aimed specifically at minors, extra care must be taken to ensure that the language used is simple and clear.

In the case of minors under 14 years of age, the data controller must ensure that the holder of parental authority or guardianship has given consent for the processing of personal data. 

As a result, the level of risk associated with cookie use should be considered. The lower the risk, the simpler the verification system that can be implemented. 

For example, in the case of a website aimed at minors who did not register, and if their device and navigation data are only used for analytical purposes, the holder of parental authority or guardianship could be obtained through warning or call directed to the minor. The first information layer should state that “if you are under 14 years of age, notify your father, mother, or guardian to accept, configure, or reject cookies before continuing browsing”.

When cookies are used to store data about users or their terminal for experience customization and no profile of the minor is created, additional precautions should be taken to verify that consent was given or authorized by the holder of parental authority or guardianship.

The editors may use any reasonable verification formula to ensure that the person with parental authority or guardianship is the one who gives consent, not the minor under fourteen years of age (for example, questions or captchas).

Higher-risk uses may necessitate additional information from parents or guardians for verification (for example, a contact email to which the editor can send an email to verify acceptance by the minor's parents or guardian).

If consent to the use of cookies is obtained during the registration process for a service, or in the context of another process in which personal data from minors is requested, additional information about the parents or guardians may be requested for verification purposes. Alternatively, they may be asked to sign a consent declaration.

Obtaining cookie consent when an editor provides services through different pages

The same publisher who provides different services through different domains may inform and obtain consent for the use of cookies in the rest of the domains that have similar characteristics via a single web page. 

Users have to be informed about the web pages or domains to which cookies will be sent, the type of cookies, and the purposes for which they will be processed.

If a publisher provides services with distinct characteristics, additional safeguards must be taken.

Do I need to get consent again if I make changes to my cookie usage?

It will not be necessary to obtain consent every time a user visits the same web page where the service is offered.

However, it is clear that if the purposes of cookie collection or the third parties that use cookies change, the cookie policy must be updated and users must make a new decision.

When should I update the consent?

The EDPB recommends consent renewal at appropriate intervals as best practice. The agency considers it good practice that consent validity be limited to 24 months. 

During this time, any preferences selections made by the user should be preserved.

Withdrawal of consent for cookie use

Users must be able to easily and at any time revoke their consent. 

The publisher must inform users about how to withdraw consent and delete cookies. These guidelines must be incorporated into their cookie policy.

Possibility of denial of access to the service in case of rejection of cookies

Because the EDPB guidelines on consent state that it must be freely given, access to services and functionalities must not be conditional on cookie acceptance. 

This criterion is particularly important when denying access would prevent the exercise of a legally recognized right.

Non-acceptance of the use of cookies may, in some cases, prevent access to the website or the total or partial use of the service, provided that the user is properly informed about it and cookie-free alternative access to the service is offered. The alternative must be of equal value and be offered by the same publisher.

Final Thoughts

The website owners will not be required to report on cookie usage:

  • As long as they are only used for the website's operation;
  • If they are included in the category of exempt cookies.

If cookies are used to create a marketing profile to store data for other commercial purposes, the editor must:

  • Mention it clearly;
  • Allow access to the cookie configuration panel;
  • Allow users to reject cookies while still having access to the website.

Book a call today if you would like more information about Secure Privacy and GDPR Cookie Consent compliance, or if you would like our data protection expert to perform a quick 'check-up' of your website, cookie consent banner, or cookie policy. 

Examples of Compliant Cookie Banners

The Spanish DPA, AEPD cookie guidelines reveal which cookie banners are likely to be cookie-compliant. 

text

(Source: AEPD Cookie Guidelines)

text

(Source: AEPD Cookie Guidelines)

Checklist for compliance with AEPD Guidelines

The checklist below will help you stay in compliance with the AEPD cookie guidelines.

▢  Have a cookie consent banner or another mechanism in place to collect users’ consent for cookies

▢  Inform your users about cookies, their purposes, who uses them, how to reject or withdraw them, the data conservation period, and so on. Provide this information in a concise, understandable, clear, and unambiguous manner.

▢  Ensure that the information you want to provide is no more than two clicks away from the first page. The main information is provided in two layers, the main layer and a detailed, optional layer, in a clearly visible notice.

▢  Do not place cookies before obtaining consent, except for essential cookies. Consent can be obtained by clicking on the "I consent" or "I accept" buttons, or other terms of a similar nature

▢  In your cookie policy include information and instructions on how to withdraw consent

▢  Keep the user's choice, whether accepting or rejecting, for no more than 24 months

▢  Collect consent for each category of processing

▢  Avoid using cookie walls to be on the safe side

▢  Maintain logs of the user consent choice.

Relevant Links

Spanish DPA Official Website

Spanish DPA Cookie Guidelines

Additional Resources:

Irish Data Protection Commission

The Belgian Data Protection Authority

Germany’s DSK

French CNIL Consent Guidelines

The Dutch DPA's Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines

Italian DPA Cookie Guidelines

Luxembourg DPA Cookie Guidelines

Our detailed GDPR compliance guide 

The ultimate guide to GDPR Cookie Consent Compliance