The new Spanish cookie rules

Written by
November 25, 2020
Openli Li

Any company or organisation that runs a website for its products or services also needs to take into account the use of cookies on its website. Through the use of cookies, companies and organisations obtain user-related data that can subsequently be used for the provision of specific services or products, to serve advertising or as a basis for the development of improved or new products and services on free occasions.

Pursuant to the guidelines of the EDPB, the AEPD (Spanish Data Protection Authority) has recently issued new guidelines which entail some changes regarding the use of cookies on a website. We will briefly outline them for you in this guide.

1. What has changed with the cookie rules?

In essence, obtaining consent has become central to the use of cookies. It is extremely important that this is obtained lawfully. The guidelines state that consent must be given freely and in a clear and affirmative manner. In concrete terms, this means that from the 31st October 2020, it will be explicitly prohibited for websites to use cookie walls. A cookie wall ensures that website visitors cannot get access to the website before they accept the cookies.

AEPD: "Consent must be freely given. Access to functions on websites must not be made conditional on the consent of the user".

In addition, the guidelines also put an end to continued browsing as a given consent. What does this mean? Because of this, scrolling or swiping through a website will no longer be accepted as consent, as there is no clear and affirmative consent (opt-in).

These new guidelines make the need for a good cookie consent solution all the more important. That's where we/Openli can help you. With our solution your cookies will always be used according to law.

Below you can find some more in-depth information about cookies and what you should be aware of.

2. Definition and types of cookies

Cookies allow the storage in the user's device of amounts of data ranging from a few kilobytes to several megabytes.

Cookies are then sorted according to a number of categories. However, it is necessary to note that the same cookie may be included in more than one category. Depending on which entity manages the computer or domain from which cookies are sent and treats the data obtained, we can distinguish:

  • a) Own cookies: these are those that are sent to the user's device from a computer or domain managed by the publisher itself and from which the service requested by the user is provided.
  • b) Third-party cookies: these are those that are sent to the user's device from a computer or domain that is not managed by the publisher, but by another entity that processes the data obtained through cookies.

In the event that cookies are served from a computer or domain managed by the publisher itself, but the information collected through them is managed by a third party, they cannot be considered as their own cookies if the third party uses them for their own purposes.

Cookie purposes

There are many purposes for the use of cookies. Depending on the purpose for which the data obtained through cookies are treated, some of the purposes may be:

  • a) Technical cookies: these allow the user to browse through a website, platform or application and use the different options or services that exist in it, including those that the publisher uses to allow the management and operation of the website and enable its functions and services.
  • b) Preference or personalisation cookies: these allow to remember information for the user to access the service with certain characteristics that can differentiate their experience from that of other users.
  • c) Analytical cookies: these are cookies that allow the person responsible for them to monitor and analyze the behavior of the users of the websites to which they are linked, including the quantification of the impacts of the advertisements. The information collected through this type of cookies is used in the measurement of the activity of the websites, application or platform, in order to introduce improvements based on the analysis of the usage data made by the users of the service.
  • d) Behavioral advertising cookies: these store information about user behavior obtained through the continuous observation of their browsing habits, which allows to develop a specific profile to show advertising based on it.

Depending on the period of time they remain activated on the device we can distinguish:

  • a) Session cookies: these are designed to collect and store data while the user accesses a website. They are usually used to store information that only interests to keep for the provision of the service requested by the user on a single occasion and disappear at the end of the session.
  • b) Persistent cookies: these can be accessed and processed for a period defined by the person responsible for the cookie and that can range from a few minutes to several years.

3. Compliance and transparency

The legal obligations imposed by the legislation are two, namely: the obligation of transparency and the obligation to obtain consent. The information about cookies provided at the time of requesting consent must be sufficiently complete to allow users to understand their purposes and the use that will be given to them.

The following information should be included in the cookie policy:

  • Definition and generic function of cookies.
  • Information about the type of cookies used and their purpose.
  • Identification of who uses cookies.
  • Information on how to accept, deny or revoke consent for the use of cookies.
  • Information on data transfers to third countries made by the publisher.
  • Where profiling involves automated decision-making.
  • Conservation period.

Clear and transparent language

Information or communication should be concise and transparent. The lower the technical level of the average user of that website, the simpler the language used (avoiding understandable technical terminology) and the more complete the information offered, based on the most basic aspects of what cookies are and how they work. In any case, this lower technical level should not be an obstacle to make the information provided as clear as possible, avoiding reloading the information with unnecessary details that make it difficult to read.

On the contrary, if the users to which the website is directed has a high level of knowledge about the Internet, it may not be necessary to provide basic information about what cookies are and how they work, although they must in any case include detailed information about what type of cookies are used on that page and for what purposes.

At all times it must be based on the consideration of the knowledge that an average user has about cookies and their management, without prejudice to demanding additional information when the web pages are especially aimed at users who by their profile can be considered to have a lower degree of knowledge.

Clear and simple language must be used. The user should not have to search for the information, but it must be evident to him where and how he can access it, such as when a clearly visible link is provided that directs directly to the information under a common use term such as "cookie policy" or "cookies".

Remember to inform your users

Informing users is not something new on the Internet. Most website editors know what methods to use to attract users' attention to the information they want to highlight, such as in the case of promotions, offers or satisfaction surveys, and to obtain the consent of their users, even in other contexts. How users are viewed should leverage the experience gained through these methods.

On a website, for example, the accessibility and visibility of the cookie policy can be boosted in the following ways:

  • Through the format of the link: for example, by increasing the size of the link to the information or by using a different font that distinguishes that link from the normal text of the website.
  • Through link positioning: The location of the link in areas that capture the attention of users or in areas where the average user expects to find them as a common and widespread practice can help ensure their accessibility and visibility.
  • Through the use of a descriptive and intuitive name for the link: The use of an explanatory expression such as "Cookie Policy", rather than a more general expression such as "Privacy Policy" to improve the accessibility and visibility of the message.
  • Through other techniques that help highlight the importance of that information link, such as: framing or underlining the link, displaying a warning when the mouse pointer hovers over the link or use a clickable image that encourages you to search for more information.

In any case, it will be necessary for the user to take an action that can be classified as a clear affirmative action in order for the consent to be considered validly granted.

Consent must be actively given

Obtaining consent through user conduct other than an acceptance button, but consisting of clear affirmative action, shall be admissible provided that the conditions under which the conduct occurs provide sufficient certainty that informed and unequivocal consent is given and that such conduct can be proved to have been carried out.

In any case, the mere fact of continued browsing, scrolling or swiping the website will not be considered a clear affirmative action under any circumstances. It will be necessary that the information of the first layer is completed with a system or configuration panel in which the user can choose between accepting cookies in a granular way or a link that leads to that system or panel.

4. Consent

When using non-necessary cookies, obtaining the user's consent is now mandatory. This consent may be obtained through express formulas, such as by clicking on a section that states "consent", "I accept", or other similar terms.

The mere inactivity of the user will neverr imply the provision of consent by itself. For such consent to be valid, it must be given freely and informedly. Therefore, it is necessary to take into account:

  • That the modalities for the provision of consent may be varied. Obtaining consent through a user click or similar conduct will certainly facilitate proof that it has been obtained. This formula may be most appropriate for registered users. That the user must have taken a clear affirmative action.
  • That it has to be obvious to the user with what specific action he accepts the use of cookies. In this sense, the use of an "Accept" button will be considered sufficient information, without the need to clarify that clicking "Accept" accepts cookies. On the other hand, complex or less obvious actions than the use of acceptance or save buttons of the chosen configuration should be explained to the user.
  • That the user, in any case, may refuse to accept cookies.
  • The information provided to the user must always be clear and simple.

Acceptance of the terms or conditions of use of the website or service is separate from acceptance of the privacy or cookies policy. Determining which method will be appropriate to obtain consent to use cookies will depend on the type of cookies to be used, their purpose and whether they are their own or third parties.

One aspect to consider is whether the relationship with the user is between the publisher or third parties. In this sense, it should be indicated whether consent is provided only for the website on which it is being requested or whether it is also provided for other websites of the same publisher or even for third parties associated with the publisher within the framework of the purposes of the cookies on which information has been offered.

Disclaimer: Depending on your line of business, country, industry and customer type (e.g. children, consumers etc.) you might need other documents and information so please note that this list is not exhaustive.