The Spanish Data Protection Agency (hereinafter, the "AEPD") has published a new "Guidance on the Use of Cookies [1]" (hereinafter, the "Guide") adapted to the data protection legislation in force.

The aim of the Guide is to provide guidelines on how to use devices for the storage and recovery of data from terminal equipment, in compliance with the obligations set forth in the legislation in force and, in particular, in the following regulations:

• Act 34/2002, of 11 July, on Information Society Services and E- Commerce (hereinafter, the “Spanish E-commerce Act”). In particular, the second section of article 22.

• Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, “GDPR”).

• Organic Act 3/2018, of Data Protection and warranty of digital rights (hereinafter, “LOPDGDD”).  

The guidance provided by the AEPD can be classified into two main blocks, each one corresponding to the main obligations that must be fulfilled by the service provider.  These obligations are:

Transparency

The AEPD analyses the information to be provided to users:

(i) Definition and function of cookies, type of the cookies the service provider intends to use and their purposes.

(ii) Identification of who use the cookies.

(iii) Information on how to accept, refuse, withdraw consent, or delete cookies.

(iv) When applicable, information about international data transfers.

(v) Information of the logic used when profiling involves automated decision-making.  

(vi) Data retention period.

The AEPD also requires the information to be easily accessible, as well as concise, transparent and intelligible, using clear and plain language, avoiding the use of phrases leading to confusion or that distort the clarity of the message.

The Guide recommends the use of privacy notices to provide layered information so users can have easy access to the relevant information.  

Consent

The Guide states that consent may be obtained by express methods, such as clicking on an "Accept", “I consent” button or expressed with a similar term. In addition, the AEPD also admits collecting consent by deducing it from an unequivocal action carried out by the user. Therefore, the warning commonly known as "continue browsing" is a valid method to collect consent after having correctly informed the user.

The AEPD determines that, in order to collect consent through unequivocal user action, it would be necessary that users carry out a clear affirmative action. The Guide gives as examples of the foregoing the action of browsing to a different section of the website, sliding the scroll bar, closing the warning of the first layer or clicking on any content of the service. 

Notwithstanding the above, in the latter option, the service provider must also comply with the information duty. In such cases, the first layer (which will be the "continue browsing" warning) must be completed with a configuration panel system in which the user can choose whether or not to accept cookies in a granulated way (it can be integrated in either of the two layers). The service provider must include a button to reject all cookies.

On the other hand, it is important to highlight that the Guide also includes a section named as "consent of minors under the age of 14" for cases of websites or online services specifically aimed at minors.

Ramón y Cajal Abogados, after the publication of the Guide, has analyzed the main sanctions imposed by the AEPD in relation to the use of cookies from 2015 to November 2019. Please, find hereinafter the referred summary (link [2])