In anticipation of the GDPR, the Spanish AEPD published cookie guidelines to help businesses get ready for compliance.
The GDPR – General Data Protection Regulation – is the European set of rules about data security, which has been in effect since May 2018.
Who is the AEPD?
AEPD is short for “Spanish Agency for Data Protection”. Their role is to guarantee that Spanish people comply with the European law and the LOPD-GDD – Organic Law of Protection of Personal Data and Guarantee of Digital Rights.
The AEPD has an informative and instructive character. They have a total of 66 guides on their website, some of them also available in English.
Additionally, the user will find tools, videos, and other mechanisms for implementing compliance solutions.
What are the AEPD Guidelines?
The AEPD published three guidelines back in 2017 to help people – especially Small and Medium Enterprises, SMEs – deal with the necessary preparations for data protection compliance.
Up until 2020, these guides have been updated and new ones have been added to the list.
AEPD – GDPR GUIDELINES FOR SPANISH SMEs
What is GT29?
GT29 is the “Article 29 Working Group”, an entity made up of a representative of the data protection authority of each EU Member State, the European Data Protection Supervisor, and the European Commission. It was launched in 1996.
What is EDPB?
EDPB is The European Data Protection Board, an independent organization that ensures the consistent application of the GDPR in the European Union (EU), as well as Norway, Liechtenstein, and Iceland.
They also promote cooperation between the data protection authorities of the EU states.
What is LSSI?
LSSI is the Law of the Society of Information Services and Electronic Commerce, also known as LSSICE.
What are cookies, and which ones are exempted from the law?
Cookies are text files that are housed in the user’s computer when it navigates a website. They are used to collect data.
The LSSI article states that “Service providers may use data storage and retrieval devices in the terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13th, on the Protection of Personal Data”.
Some cookies are excluded from article 22.2 of the LSSI and do not require consent for utilization. These are:
- “User input” cookies.
- User authentication or identification cookies (session only).
- User security cookies.
- Media player session cookies.
- Session cookies to balance the load.
- Cookies for customizing the user interface.
- Certain add-on cookies (plug-in) to exchange social content.
What types of cookies are used by websites?
- First vs. Third-parties.
First party cookies are sent by the editor itself when a service is requested by the user.
Third-party cookies are sent from a computer or domain that is not managed by the publisher, but by another entity that processes the data obtained.
- Session vs. Persistent.
Session cookies collect and store data while the user accesses a web page and disappear at the end of the session.
Persistent cookies are stored in the terminal and can be accessed and processed during a period defined by the person responsible for the cookie, which can range from a few minutes to several years.
- Technical cookies.
They allow the user to navigate through a web page, platform, or application and to use the different options or services that exist in it. This includes cookies for controlling traffic and data communication, identifying the session, accessing restricted access parts, among others.
Cookies for management of advertising spaces also fall in this category. These cookies are exempt from all obligations when they are used exclusively to allow the provision of the service requested by the user.
- Preference or customization cookies.
They allow a personalized user experience in a website, memorizing options and choices such as language, filters, etc.
They will be exempt from the obligations of article 22.2 of the LSSI when it is the user himself who chooses these characteristics.
- Analysis or measurement cookies.
They make it possible for someone to quantitatively monitor and analyze the behavior of the users of the websites to which they are linked.
The GT29 stated that they are not exempt from the duty to obtain informed consent for their use, but are unlikely to represent a privacy risk when they are first-party cookies.
- Behavioral advertising cookies.
These are ones that store information on the behavior of users with the continuous observation of their browsing habits, making it possible to provide custom advertisements.
What and how to inform users about cookies?
Users should be informed about:
- Definition, type, generic function, and purpose of cookies.
- How to accept, deny, or revoke consent.
- Where appropriate, information on data transfers to third countries made by the editor.
- When profiling involves automated decision-making with legal effects for the user or that similarly affects them.
- Period of data conservation for the different purposes established in article 13.2 a) of the GDPR.
Users must be informed in a concise, understandable, clear, and unambiguous way.
During consent collection, this information cannot be further than 2 clicks away from the first page. The main information is to be provided in a clearly visible notice in two layers, the main layer, and a detailed, optional layer.
How to obtain consent?
The determination of which is the most appropriate method to obtain consent will depend on the type of cookies, their purpose, and whether they are your own or those of third parties.
It is necessary to inform the user if data will be shared with other web pages of the same publisher or even with associated third parties.
Some of the mechanisms that can be used for obtaining consent are:
- When requesting the discharge of a service.
- During the process of configuring the operation of the website or application.
- Through consent management platforms (CMP).
- Before the moment when a service or application is offered.
- Through the layered information format.
- Through browser settings.
How to obtain consent from children under 14 years of age?
The GT29 recommends organizations to refrain, in general, from creating profiles of children for marketing purposes.
For websites or online services specifically aimed at minors, an additional effort has to be put into the simplicity and clarity of the language used.
In the case of minors under 14 years of age, the data controller has to make sure that consent for the processing of personal data was given by the holder of parental authority or guardianship.
For example, in the case of a website aimed at minors that did not register, and if their device and navigation data are used only for analytical purposes, the consent of the holder of parental authority or guardianship could be obtained through warning or call directed to the minor. The first information layer should state that “if you are under 14 years of age, before continuing browsing, notify your father, mother or guardian to accept, configure or reject cookies”.
When cookies are used to store data about users or their terminal for experience customization, and no profile of the minor is drawn up, additional precautions should be taken to verify that consent was given or authorized by the holder of parental authority or guardianship.
The editors may use any verification formula that is reasonable to verify that the holder of the parental authority or guardianship is the one who gives the consent, and not the minor under fourteen years of age (for example, questions or captchas).
Uses of higher risk than those may require additional information from parents or guardians for verification purposes (for example, a contact email to which the editor can send an email to verify acceptance by the minor’s parents or guardian).
Obtaining cookie consent when an editor provides services through different pages
Users have to be informed about the web pages or domains to which the cookies will be sent, the type of cookies, and the purposes for which they will be processed.
If a publisher provides services with characteristics that are not similar, it is necessary to adopt additional precautions.
It won’t be necessary to obtain consent every time a user visits the same web page from which the service is provided.
When should I update the consent?
The EDPB recommends consent renewal at appropriate intervals as best practice. The agency considers it good practice that consent validity does not last longer than 24 months.
During this time, any selections made by the user on their preferences should be preserved.
Users must be able to revoke consent easily and at any time.
Possibility of denial of access to the service in case of rejection of cookies
Since the EDPB guidelines on consent state that it has to be given freely, access to services and functionalities must not be subject to the acceptance of cookies.
This criterion is especially important in cases where the denial of access would prevent the exercise of a legally recognized right.
- As long as they are only used for the operation of the website;
- Are among the category of exempt cookies.
In case of using cookies to create a profile for marketing or to store data for other commercial purposes, the editor must:
- Mention it clearly;
- Make the cookie configuration panel accessible;
- Offer a way to reject cookies while maintaining access to the website.
Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.
Our detailed GDPR compliance guide
The ultimate guide to GDPR Cookie Consent Compliance