The Spanish Data Protection Authority recently issued guidelines on the regulation of Spanish cookies, following an amendment to Article 22 of Act 34/2002 on Information Society Services and Electronic Commerce, with a view to implementing the EU e-privacy Directive in Spain.
The guidelines provide useful information to understand the new requirements of the Regulation and useful tips to put it into practice. They also stress the importance of the terms included in the contractual and pre-contractual relationship between parties.
The Spanish authority stresses the importance of the contractual relationship between editors, advertisers and third parties involved in this process.
A distinction is made between different types of cookies (first/third party cookies, tracking cookies, advertising, analytics, session, security cookies, etc.) and it is established that certain types are excluded from the legal requirements. These exceptions are based on Opinion 4/2012 (WP194) and are usually related to cookies that are strictly necessary for a service or are explicitly requested by a user, e.g. session or access cookies, security cookies, authentication/identification cookies, multimedia player session cookies, load balancing session cookies, UI customization cookies, and social plug-in content sharing cookies.
The guidelines also explain the different types of parties involved in the management of this system and the information processed (user, editor, advertiser, advertising agencies…), stating that the main obligations are to provide clear information and consent. They also highlight the following main points:
- Preference for layered privacy notices: provide basic information in a short initial note with further, more detailed, information available should an individual require it.
- Locating the information where users can find it easily.
- Implied consent is possible: in general terms, for consent to be valid users should be clearly informed and must carry out a positive action. However, consent could also be valid if clear information is given and the user clicks on any other link on the web page uses the scroll bar.
- Cookies that come under the exemption are excluded from the requirement of prior informed consent.
- The possibility of withdrawing previously given consent must be available at any time.
The legislation does not expressly define who is responsible for complying with these requirements. In this regard, the guidelines state that the different parties involved in the delivery and management of information in cookies should cooperate, and that they could both be responsible for complying with these obligations.
The Spanish authority stresses the importance of the contractual relationship between editors, advertisers and third parties involved in this process, recommending the inclusion of certain clauses establishing how valid consent is to be obtained, by whom, and also the means to withdraw it. This seems a good clue to figure out who should be responsible for complying with the Regulation. It could certainly be an issue if the contractual terms are not clear.
Moreover, there is a debate about whether lack of express consent from users in the delivery of cookies could be sanctioned, because the law is not clear. The legislation expressly establishes a severe sanction for the lack of information or means to withdraw consent, but it does not expressly establish this sanction for a lack of opt-in consent.
Perhaps this is why the effectiveness of this new regulation in Spain is so controversial.
Finally, I would like to mention an interesting and witty initiative from the Interactive Advertising Bureau about this issue, to help understand the requirements of this new regulation. You can see it here.