On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:
- Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002);
- Chapter 2: terminology and definitions (g., types of cookies and terminal equipment);
- Chapter 3: obligations (in particular transparency and consent); and
- Chapter 4: responsibility of the relevant parties (g., website owners and advertisers).
The guidance also contains an annex that lists the entities generally involved in targeted advertising and explains their respective roles.
The guidance starts by acknowledging that online advertising is an important source of revenue and employment for many. However, it also highlights that the use of cookies and similar technologies may have an important impact on the privacy of users. It is therefore important to maintain the trust of users in these technologies.
The guidelines do not aim to provide a uniform solution on how to comply with the Spanish rules on cookies. Instead, companies are invited to adapt their compliance measures to their specific interests and businesses models.
Below, we provide a brief summary of each section:
Chapter 1 (scope of the Spanish cookie rules)
This chapter lists the types of cookies that are excluded from the Spanish cookie rules. These include cookies used for purposes of authentication (during the session), online shopping carts, online contact forms, cookies to personalize the user’s interface and, plug-ins used to share content on social media (but only for users who have signed up for a relevant social media account). While the SA recommends informing users in a generic manner of the use of such cookies, the SA acknowledges that this is not strictly required. This also applies if these cookies are dropped by third parties.
The guidance states that the Spanish cookie rules do apply to digital fingerprinting. The SA issued guidance on digital fingerprinting earlier this year.
Chapter 2 (terminology and definitions)
This chapter explains a number of concepts and differentiates, for example, between first party and third party cookies, as well as session cookies and persistent cookies. It classifies cookies according to their purpose in the following 4 types: (1) technical cookies, (2) preference cookies (cookies de preferencias o personalización), (3) analytics cookies (cookies de análise o medición); and (4) behavioral advertising cookies.
Chapter 3 (obligations)
This chapter is divided in two sections: transparency obligations and obtaining consent.
On transparency, it sets out what information users should receive about cookies. This includes: (1) a generic definition of cookies: (2) information about the types of cookies used; (3) the identity of cookie users (e.g., the website owner and/or third parties); (4) information about how to accept, reject, or revoke consent or delete cookies; (5) information about the use of profiles to make automated decisions, if applicable; (6) the retention period and (7) information on where users can find other information required under Art. 13 GDPR.
This chapter also explains how this information should be provided and gives examples. According to the guidance, the information must be adapted to the expected knowledge of an average user of the particular website. The information should be easily accessible (maximum two clicks away) and clearly visible. The guidance recommends disclosing the information in a dedicated cookie policy, rather than a privacy policy, and to provide the information together with the cookie management tool.
In relation to consent, the guidance indicates that consent must be provided through an affirmative action, but that in certain circumstances the continued use of the website can qualify as consent. This is the case, for example, if users are clearly informed about this through a notice that is “clearly visible” (in light of its form, color, size and placing), users are given the possibility to configure their choices through a cookie management tool, and the user’s action qualifies as an affirmative action (e.g., clicking on any section of the website other than the link to the cookie policy or privacy policy). Consent can only be obtained through the browser settings if the browser is able to separately collect consent for each type of cookie and identifies the controllers.
According to the guidance, it is good practice to renew consent at least every 24 months.
In case of minors, the guidance recommends not to use targeted advertising on websites directed at minors, including minors between 14 and 18 for whom parental consent is not required under Spanish law.
Chapter 4 (the responsibility of the parties)
If a website uses third-party cookies, both the website owner and the third party are responsible for clearing informing users and obtaining their consent. The website owner may provide information about the third-party cookies by linking to the third party’s websites. However, the website owner must ensure that the link works. The website owner and the third party should also contractually agree on how to comply with their transparency and consent obligations.
According to the guidance, “each controller is responsible for the concrete processing they conduct. Where different controllers are in charge of the processing, each has its own responsibility”. Only where the controllers jointly determine the purposes and means of the processing will they be considered joint controllers under Art. 26 GDPR. However, even as joint controllers, their responsibility will not be the same, but will depend on the impact their actions/omissions have on the data processing.