On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:
- Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002);
- Chapter 2: terminology and definitions (g., types of cookies and terminal equipment);
- Chapter 3: obligations (in particular transparency and consent); and
- Chapter 4: responsibility of the relevant parties (g., website owners and advertisers).
The guidance also contains an annex that lists the entities generally involved in targeted advertising and explains their respective roles.
The guidelines do not aim to provide a uniform solution on how to comply with the Spanish rules on cookies. Instead, companies are invited to adapt their compliance measures to their specific interests and businesses models.
Below, we provide a brief summary of each section:
Chapter 1 (scope of the Spanish cookie rules)
This chapter lists the types of cookies that are excluded from the Spanish cookie rules. These include cookies used for purposes of authentication (during the session), online shopping carts, online contact forms, cookies to personalize the user’s interface and, plug-ins used to share content on social media (but only for users who have signed up for a relevant social media account). While the SA recommends informing users in a generic manner of the use of such cookies, the SA acknowledges that this is not strictly required. This also applies if these cookies are dropped by third parties.
The guidance states that the Spanish cookie rules do apply to digital fingerprinting. The SA issued guidance on digital fingerprinting earlier this year.
Chapter 2 (terminology and definitions)
This chapter explains a number of concepts and differentiates, for example, between first party and third party cookies, as well as session cookies and persistent cookies. It classifies cookies according to their purpose in the following 4 types: (1) technical cookies, (2) preference cookies (cookies de preferencias o personalización), (3) analytics cookies (cookies de análise o medición); and (4) behavioral advertising cookies.
Chapter 3 (obligations)
This chapter is divided in two sections: transparency obligations and obtaining consent.
On transparency, it sets out what information users should receive about cookies. This includes: (1) a generic definition of cookies: (2) information about the types of cookies used; (3) the identity of cookie users (e.g., the website owner and/or third parties); (4) information about how to accept, reject, or revoke consent or delete cookies; (5) information about the use of profiles to make automated decisions, if applicable; (6) the retention period and (7) information on where users can find other information required under Art. 13 GDPR.
According to the guidance, it is good practice to renew consent at least every 24 months.
In case of minors, the guidance recommends not to use targeted advertising on websites directed at minors, including minors between 14 and 18 for whom parental consent is not required under Spanish law.
Chapter 4 (the responsibility of the parties)
If a website uses third-party cookies, both the website owner and the third party are responsible for clearing informing users and obtaining their consent. The website owner may provide information about the third-party cookies by linking to the third party’s websites. However, the website owner must ensure that the link works. The website owner and the third party should also contractually agree on how to comply with their transparency and consent obligations.
According to the guidance, “each controller is responsible for the concrete processing they conduct. Where different controllers are in charge of the processing, each has its own responsibility”. Only where the controllers jointly determine the purposes and means of the processing will they be considered joint controllers under Art. 26 GDPR. However, even as joint controllers, their responsibility will not be the same, but will depend on the impact their actions/omissions have on the data processing.