Under existing law, penalties for noncompliance can reach up to 30,000 Euros for the lesser level of sanctions, so it seems crucial to be able to give an affirmative answer to this question.
Recently, on the occasion of the publication of our website, we have found ourselves in the need to verify that we comply with the Spanish Law 34/2002, named “Ley de Servicios de la Sociedad de la Información y de Comercio Electrónico” (LSSI) that could be translated as Law on Information Society Services and Electronic Commerce. It is noteworthy that pages without economic activity are excluded from the scope of the LSSI. When is considered that a web page has economic activity? When products are sold on it, it contains adverts or it is related to business or professional activities.
You should have noticed that lately, when accessing many websites, a pop-up or an informative banner at the top or the bottom of the page interrupts and warns you, with more or less skill and extension, that the site is using cookies. A link for further information on the cookies and the company policy about them is also provided. These pop-up show a button asking for permission to install cookies in your computer and/or a notice to advise that if you continue browsing you will be implicitly accepting them.
Despite that this legal requirement exists for many years now and that current wording of Article 22.2 of the LSSI was drawn up in 2012, Mr. Pablo Fdez. Burgueño, founder partner at Abanlex, a law firm specialized in technology, Internet and data protection, and author of the blog www.pabloburgueno.com, seems to be responsible for the sudden proliferation of this kind of messages about cookies by having published a post on the disciplinary proceedings for breach of law initiated by the Spanish Data Protection Agency (AEPD) against a company he is representing. The fuss and novelty is that the AEPD had never done this before.
Following amendments to the LSSI by the Royal Decree Law 13/2012 of 30th March, Article 22.2 of the Law states:
Service providers can use storage devices and data recovery in the recipients equipment, provided that they have given their consent after they have been provided with clear and comprehensive information on their use, in particular on the purposes of processing data in accordance with the provisions of Organic Law 15/1999, of 13th December, “Law on Protection of Personal Data”.
Where technically possible and effective, the consent of the recipient to accept the processing of data could be given by using the appropriate settings of a browser or other applications, provided that they should proceed to its configuration during installation or upgrade by an express action for this purpose.
This does not prevent any storage or access of strictly technical nature for the sole purpose of carrying out the transmission of a communication by an electronic communications network or, to the strictly necessary extent, for the provision of an electronic service explicitly requested by the recipient.
Let’s start with the basics: What is a cookie?
According to the AEPD, any file or device that is downloaded to the equipment of a user in order to store data that can be updated and retrieved by the entity responsible for its installation.
What types of cookies are mentioned in the AEPD guide?
– According to the managing entity, there are first party cookies (installed by the website itself) and third party cookies (sent and managed by a third party, i.e. Google Analytics cookies).
– According to the period for which they remain active, the AEPD distinguishes between session cookies (which expire when the user closes the browser) or persistent (that may be active from minutes to years).
– According to its purpose, a distinction is made between technical cookies (enable and facilitate navigation on the website), for user preferences (i.e. recall the default language, browser, etc), for analytics (allow the installer to monitor and analyze the number of visitors, their location and how they behave on the website) and for advertising (tract the user online behaviour for the purpose of showing adds according to their likes).
Are all cookies affected by the law in the same way?
No. Cookies that are purely technical and serve for the website functionality, as well as those that are necessary for the provision of a service required by the user, must appear on the page which contains the information about cookies and the company policy on them, but it is NOT required to obtain the user´s prior consent to install them.
What should I do to comply with Article 22.2 of the Law?
The AEPD is clear: the user must be fully informed about the use of cookies and has to give prior consent. Let’s see how according to their own guide:
a) Duty to inform
The information about the cookies provided when asking for consent must be comprehensive enough to enable users to understand the purpose for which they are installed and to know what they will be used for.
First, we have to warn the user that our website will install cookies whilst they are browsing our web, if the cookies are created by our site or come from a third party and what their purposes are. A warning message is required if any further activity from the user involves acceptance. The data field must include a link to a page which contains the following information: general definition and function of cookies, a list of all the cookies that our site installs and their use, information on how to disable or delete cookies using either our website or each of the main browsers, and finally identification of the data controller, whether the publisher or a third party.
b) Obtaining consent
Consent can be granted explicitly by clicking on the appropriate button or field to accept the cookies, or implicitly, by any further activity in the web page after the information on the cookies has been displayed and the user has been warned. But the bottom line here, and this is what the Royal Decree 13/2012 changed, is that the user consent now must be obtained PRIOR to the installation of any cookies, and it is at this point is where a large number of web sites currently breach the law.
Except those previously mentioned exceptions, before installing a single cookie on the user’s computer you have to inform them clearly and receive consent.
Therefore, you will be breaching the law if:
– Do not clearly inform with a banner or a pop up message that your website installs cookies, explain their purpose and add a link to the page in which you provide all the required information.
– Do not request the implicit or explicit user’s consent.
– Do not fully block the installation of cookies until you have received the consent of the users to download them to their computer.
How I can check what cookies installs my site?
A simple way to check what cookies your web site installs is by using Google ‘s Chrome browser and after clearing the cache, history and cookies, go to the address bar and click in the icon that precedes the site address. You can find there the cookies that your site installs.
What are the consequences of the noncompliance?
The law is clear in this point. Infraction of the duties of information and cookie rejection procedure can reach 150,000 Euros fine for penalties in cases of significant noncompliance and up to 30,000 Euros in case of lesser penalties.
The failure to block installation of the cookies until consent is granted shall be considered as a noncompliance, as wisely interpreted in their blogs by the lawyers Ruth Benito Martín (www.conlaveniasenorias.com) and Pablo Fdez. Burgueño (www.pabloburgueno.com).
Conclusions
Given the existing technical impossibility to comply with the rule for a large number of pages created on certain platforms (because of the difficulty or impossibility to block installation of cookies until user’s consent is granted), and applying some common sense (cookies with a sole purpose of analysis without user identification should not be considered as a Trojan horse against our right to privacy), the hope is that the AEPD will close the opened disciplinary proceedings somehow equating analytical cookies to those technical or simply operational and settle with the observance of the information duty without requiring the previous consent of the user.
The problem is that until the disciplinary proceedings against Pablo Fdez. Burgueño’s client comes to an end, it is impossible to have an indication of the path the AEPD will take in the final interpretation of the rule; and while quite possibly the AEPD might not be looking on your site cookies, you might be unlucky enough to have your web pages visited by the same user who denounced the investigated company, or someone else with a similar extreme sensitivity to privacy.
It is at this point is when the owner of a web, that cannot technically block the installation of the cookies before the user’s consent is given, would need to choose between one of these two alternatives:
* To disable all cookies sacrificing the information that Google provides through its Analytics service and that lets you know the number, geographic location, behavior and other parameters of your website visitors.
* To keep these analytical cookies enabled, fulfilling all the rest of legal obligations, cross fingers and hope that the AEPD will not have to get in touch.
Luis M. Vicente Burgos
VICENTE & OTAOLAURRUCHI LAWYERS