Cookies: how to inform the user  

Autor: Francisco Moreno (Abogado, Socio fundador)


The Spanish Data Protection Agency (the “AEPD”), last November 2019, has published a Guide on the use of cookies. One of the main novelties brought about by the entry into force in 2018 of Regulation 2016/679, General Data Protection (the “RGPD”) was the requirement of explicit consent as a legitimate basis for the processing of personal data. This consent must, moreover, be based on the fact that the holder of the personal data has been provided with sufficient information about the processing.

Certain cookies may involve the processing of personal data. Already recital 30 of the RGPD stated that ‘natural persons can be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol addresses, session identifiers in the form of “cookies” or other identifiers, such as radio frequency identification tags’.

The starting rule is article 22.2 of Law 34/2002, on information society services and electronic commerce (the “LSSICE”). This provision allows the use of data storage and retrieval devices (cookies), provided that the recipient of the terminal equipment has given its informed consent in accordance with data protection regulations.

Obviously, consent must be understood to be required insofar as the use of cookies involves the processing of personal data.

In order to comply with the obligation to inform, the new Guide to the AEPD lists those aspects that must be covered, fundamentally: (i) definition and generic function of cookies; (ii) information on the type of cookies used and their purpose; (iii) identification of who uses cookies; (iv) information on how to accept, deny, revoke consent or delete cookies; (v) information on transfers to third countries; and (vi) data retention period. This is without prejudice to the non-specific information required by the RGPD.

Although the AEPD also admits other forms, the Guide recommends offering the information through a double layer system: in a first layer, the user would be shown the essential information regarding the use of cookies, including a link that would lead to a second layer of information, a layer that would include in a more extensive and detailed way all the information about the use of cookies.

Finally, it should be noted that the information should be displayed prior to consent being given. The AEPD Guide is clear on this point: “[t]his information shall be provided prior to the use of cookies, including, where appropriate, their installation, in a format that is visible to the user and that must be maintained until the user takes the action required to obtain consent or to refuse it”.

The Guide to the AEPD also contains important clarifications regarding consent, an issue that, due to its length, we will address in this blog in a later post.