Below are highlights of important elements from the Guidelines:
- Cookies and personal data protection. The Guidelines start by calling out that compliance with additional GDPR provisions (and ancillary local regulations) is required when cookies are used to process personal data. Note that the Guideline’s definition of personal data also includes data processing when “unique identifiers are used that allow for the differentiation of certain users from the others, and to track them individually (for example, an advertising ID).” (Unofficial translation.) This consideration is particularly important for online business activities.
- Types of cookies:
- Cookies excepted from compliance obligations. The Guidelines outline what cookies are excepted from the scope of application of the Spanish Information Society Services and E-commerce Act. These are mainly cookies that are required for the services requested by the user to operate, and technical cookies allowing the communication between users’ terminals and networks. These are the cookies that do not trigger the information duties or the obligation to obtain the user’s consent. That said, and for transparency purposes, the AEPD recommends informing users about the use of these cookies “at least in general terms.”
- Categories of cookies. For illustrative purposes, the Guidelines provide factors for categorizing cookies depending on:
- Who manages the cookies (proprietary or third party cookies);
- Purpose (technical, customization, analytical, and behavioural advertising cookies); and
- Duration (session or persistent cookies).
- Notice and Choice:
The AEPD provides the following examples of actions that could be considered a valid consent / affirmative action (where the due information has been provided to users):
- The use of the scroll bar, insofar as the information on cookies is visible without using it.
- On devices such as mobile phones or tablets, by swiping the initial screen and accessing the content.
Note that the AEPD considers that consent must be renewed and updated, at least, every 24 months.
The only thing remaining now is to wait and see how strict the AEPD will be when “enforcing” the criteria described in the Guidelines, and for companies to continue working on their apps, websites, etc., to adapt to them.