GENERAL
WHICH LOCAL LAW IMPLEMENTS THE EPRIVACY DIRECTIVE?
Spanish Information Society Services and E-Commerce Act 34/2002 (LSSI).
IS THERE ANY REGULATORY GUIDANCE ISSUED TO SPECIFICALLY ADDRESS COOKIES?
Yes – the Spanish Data Protection Commissioner (AEPD) published on November 2019 a Guide on the use of cookies (the AEPD Guide).
Please find it here.
CONSENT
CAN A USER PROVIDE CONSENT TO COOKIES VIA WEB BROWSER SETTINGS?
Yes – with certain limitations.
The AEPD Guide has been recently modified in the light of the EDPB criteria and from 31 October 2020 onwards, the mere browsing of the user on a site will not be considered as lawful form of consent collection. Consequently, the user consent shall explicit and collected through activation boxes or marking buttons ("I accept" or "I consent"), or through any other formula that requires an explicit and unequivocal action by the user.
The AEPD Guide states that this option may be valid only if the browser settings are able to be used in such a way that allows users to (i) separately give their consent for each of the purposes envisaged and (ii) the identity of the relevant data controllers is provided (there is no need to specify the complete corporate name of the controller but rather its trade name or business name).
ARE COOKIE WALLS ALLOWED?
Unclear.
According to the AEPD Guide, there may be certain cases in which non-acceptance of the use of cookies prevents the total or partial use of the service, provided of course that the user is properly informed about this fact.
However, access to the service may not be denied in the event of rejection of the cookies in those cases in which such rejection prevents the exercise of a legally recognised rights of the user (e.g. cancellation of a given e-service), as access to this website is the only means provided to the user to exercise their rights.
CAN CONSENT BE IMPLICIT, (I.E. THROUGH USE OF WEBSITE)?
Yes.
Implicit consent shall be valid only if it is clearly established in the first cookie information layer (e.g. cookie banner) and the user performs a clear affirmative action (i.e. navigate to a different section, other than the second cookie information layer or privacy policy, slide the scroll bar, close the first layer notice, or click on any service content).
Nevertheless, implicit consent will not be valid when (i) processing special categories of personal data, which may require explicit consent; or (ii) other explicit acceptance/consent mechanisms (i.e. checkbox, acceptance buttons) are set out in the site.
Please take into account that this implicit consent approach/interpretation set forth in the AEPD Guide may change or even be challenged due to the publication of the recent EDPB consent guidelines on 4 May 2020.
TRANSPARENCY AND RETENTION
ARE THERE SPECIFIC RULES OR GUIDANCE FOR COOKIE BANNERS?
The AEPD Guide recommends the provision of the relevant cookies information in two different layers:
First layer: The cookie banner displayed when entering a given site.
Second layer: The cookie policy implemented on the site.
The AEPD Guide provides a list of the different elements that the cookie banner should include as well as different cookie banner examples already aligned with the indications and requirements listed in the AEPD Guide. In particular, the minimum content that the cookie banner shall in any event include is as follows:
- identity of the controller;
- purposes;
- if own and/or third parties cookies are used;
- generic information regarding the categories of data to be collected and processed in case of user profiling (i.e. when behavioural advertising cookies are used);
- means of acceptance, configuration and rejection of the use of cookies, which shall include, when applicable, that certain actions may be understood as effective consent (i.e. further browsing); and
- a clearly visible link directed to a second information layer including more detailed information (i.e. cookie policy).
IS A SEPARATE COOKIE POLICY REQUIRED IN ADDITION TO THE WEBSITE PRIVACY POLICY?
Yes.
The AEPD Guide establishes that to maintain the visibility of the information about cookies, it should be highlighted and separated (by a different hyperlink, for example) from the rest of information such as (i) the terms and conditions of the site or (ii) the privacy notice.
ARE THERE ANY SPECIFIC RETENTION PERIODS FOR DATA HELD BY COOKIES?
Yes.
The AEPD Guide establishes as a good practice that 24 months is the longest period for storing user consent and preferences for cookies. Consequently, it will be recommended for data controllers to re-collect the user's consent after a 24-month period from the last consent collection.
Having said this, the AEPD Guide includes the existence of two different types of cookies depending on how long they remain active, session cookies and persistent cookies.
Session cookies will collect and store data only while the user accesses a website. The information stored will only be used for the sole purpose of providing a specific service and shall be erased once the service has been provided and the user closes their session. Persistent cookies on the other hand are those where the data collected will be kept stored in the terminal and be accessed and processed during a period of time defined by the service provider (entity responsible of the cookie). No specific limit of time is included in the AEPD Guide. In this sense, the AEPD Guide highly recommends the use of session cookies rather than persistent ones, and in case persistent cookies are installed, its temporary duration must be reduced to the minimum in view of the purpose of its use.
DO ANY COOKIE RULES OR GUIDANCE APPLY DIFFERENTLY FOR FIRST-PARTY AND THIRD-PARTY COOKIES?
No.
The AEPD Guide does not include any separate rules or has not published any separate guidance specifically applicable to third-party cookies. However, it includes certain provisions to duly implement the same and protect users' rights.
For instance, the entity providing the service and using third-party cookies shall include all the relevant information about these third-party cookies implemented through the cookies policy and cookie banner in order for the user to be fully informed of the existence, use and purpose of these types of cookies. Additionally, the AEPD Guide establishes that the service provider must indicate how users can erase third-party cookies, and that to do so they must do it from their own browser or by using the system enabled by the relevant third parties for this purpose.
Finally, contractual relationships between the service provider and the third party must state clearly that this party will not process data with any other purpose more than the provision of the service agreed. This agreement limits the service provider responsibility of complying with the obligations of informing and obtaining consent related to the third-party cookies to the processing that it is responsible for on behalf of the agreement.
ENFORCEMENT
IS THERE ANY REGULATORY STRATEGY ON THE ENFORCEMENT OF COOKIE RULES?
No.
HAVE THERE BEEN ANY FINES ISSUED FOR NONCOMPLIANCE OF COOKIE RULES?
Yes – the AEPD has imposed a total of 41 fines for non-compliance of cookie rules since 2014. In particular, the AEPD has recently issued the following:
- PS/00469/2019 – SOLO EMBRAGUE S.L. – 27.02.2020 – EUR2,800
- PS/00127/2019 – IKEA IBÉRICA S.A.U. – 28.11.2019 – EUR10,000
- PS/300/2019 – VUELING AIRLINES, S.L.– 1.10.2020 – EUR30,000
- PS/00175/2019 – VF JEANSWEAR ESPAÑA S.L. (Vans) – 13.08.2019 – EUR5,000
HAVE THERE BEEN ANY COURT CASES ADDRESSING COOKIE COMPLIANCE?
No.
ADDITIONAL INFORMATION
- New consent collection is required when the cookie policy is updated.
- It is considered a good practice, and hence recommendable, to re-collect consent after 24 months period from the last consent collection.
- Consent is required for analytic cookies.
- Consent is required for preferences cookies.
Originally published 27 November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
