Practical tips for complying with cookies legislation
Garrigues, via the legal commission adigital (Spanish Digital Economy Association, of which it has been a member since the organization was founded) has participated in drafting the “Guía sobre el uso de las cookies” (Guide to the use of cookies) unveiled by the Agencia Española de Protección de Datos (Spanish Data Protection Agency, “AEPD”) on Monday April 29. In addition to adigital and AEPD, Autocontrol and iab (Interactive Advertising Bureau) were also involved in the process.
The aim of the Guide is to provide practical solutions to all information society service providers (mainly, website owners) which install on users’ terminals (pcs, tablets, cell phones, etc.) files to store and retrieve data commonly known as cookies, in order to fulfill the provisions of article 22.2 of Information Society Services and E-commerce Law 34/2002, of July 11, 2002 (LSSI).
Said article 22.2 LSSI, following its amendment under Royal Decree-Law 13/2012, of March 30, 2012, makes the use of cookies by services providers conditional upon users granting their consent “after they have been given clear and comprehensive information on their use, in particular, the purposes of the data processing, pursuant to Personal Data Protection Organic Law 15/1999, of December 13, 1999“. Thus, in the wake of this reform, an opt-in system was included in the Spanish legal system for the use of cookies that ended the opt-out system envisaged by this same article 22.2 LSSI in its original wording.
The exception to obtain the user’s prior informed consent is the installation of cookies that are necessary solely in order to transmit a communication via an electronic communications network, or to the extent that this is strictly necessary in order to provide a service expressly requested by the recipient.
Although the current wording of article 22.2 LSSI, has been in force since April 1, 2012, many doubts had arisen as to the manner in which the entities affected should provide information to users on the use of cookies and the possible means of obtaining their consent. The Guide, together with Opinion 4/2012 of the Article 29 Data Protection Working Party on this same subject, provides the guidelines that the Sector was calling for without seeking, needless to say, to provide an integral, across-the-board solution to comply with the law.
Now, information society service providers that use cookies already have all the information they need to successfully analyze the cookies they use (their own or of third parties), a task that is not always easy, and, based on that analysis, to prepare an adequate information policy on cookies and implement the appropriate measures to obtain, where applicable, users’ consent.
Garrigues’ Corporate Law and Technology & Outsourcing Departments