Granular approach to cookie consent required in Spain

Out-Law News | 28 Nov 2019 | 4:25 pm | 3 min. read

Internet users must be given the chance to make granular choices over the type of 'cookies' to accept being set on their devices, Spain's data protection authority has said.

The Agencia Española de Protección de Datos (AEPD) explained the need for granularity in new guidance it has issued on the use of cookies. The guidance was issued in partnership with advertising industry bodies in Spain.

Cookies are small text files placed on an internet user's device. They are generated whenever the user's device interacts with websites. Websites use cookies mainly because they save time and make the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users' web surfing habits and profile them for marketing purposes.

Spanish law and EU privacy laws more generally require website operators and other 'information society service providers' to obtain internet users' consent to the use of cookies, other than those that are strictly necessary, and to provide users with information about how to manage and delete cookies.

To meet the transparency requirements of those laws, information including details of the type of cookies being used, the data they will gather and the purposes for which the data is collected, as well as who the data collected could be shared with, must be disclosed to internet users.

According to the AEPD, the information about cookies that is disclosed to internet users must be displayed alongside a system or configuration panel that enables the user to choose whether or not to accept cookies in a granular form.

The AEPD explained that it is up to website publishers to determine just how granular the cookie consent options need to be. As a minimum, however, users should be able to exercise their consent choices in relation to cookies split into groups according to the purpose they serve. This, the regulator said, might mean enabling users to choose to accept analytic cookies and not cookies which will track their online activity for the purposes of serving them behavioural adverts, for example.

In addition to offering granularity, the AEPD said it expects website publishers to display two buttons on the configuration panel – one that offers the option to accept all cookies and the other to reject all cookies.

The AEPD also confirmed that, in some cases, the act of continued browsing by an internet user can be sufficient to signal their consent to cookies. It provided guidance on the information requirements operators must meet and the technical steps users must take for the legal standard of consent to be met in those circumstances.

The AEPD said that website operators will not have obtained users' consent to use cookies by merely displaying a banner on a webpage that states that consent will be considered to be given if the user keeps browsing.

However, in some cases the AEPD said it is possible for consent to be gleaned from users that do keep browsing.

Firstly, website operators would need to display the information notice in "a clearly visible place" so that because of its shape, color, size or location the operators can be assured that the notice has not been missed by the user.

In addition, consent could only be said to be granted from users that keep browsing if they have taken a clear affirmative action in their browsing activities – that means, for instance, that they have navigated to a different section of the website, scrolled down the existing webpage, or clicked on the content on the page, the AEPD said in providing examples. Merely moving the mouse, pressing a key or remaining on the screen displayed, for example, will not be sufficient action by the user to meet the requirements of consent, it said.

Further, the AEPD confirmed that the 'keep browsing' mechanism of consent will only be valid if website operators include a button for rejecting all cookies on their cookie consent system.

The AEPD recently issued budget airline Vueling with a fine of €30,000 after it found fault with the company's cookie consent mechanism.

Other data protection authorities have also updated their own guidance on the use of cookies since the General Data Protection Regulation (GDPR) took effect in May 2018, including the UK's Information Commissioner's Office (ICO) and France's CNIL. With further EU legislative reforms impacting the use of cookies on the horizon, data protection law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law, warned earlier this year that confusion over how to comply with rules on the use of cookies could have a significant commercial impact.

The EU's highest court ruled in October that the use of pre-checked 'tick' boxes by online service providers do not constitute valid consent to the use of cookies.