Support Centre

Spain: AEPD guidelines on cookies

Since the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), cookie-related matters in Spain have not been easy for businesses navigating the unusual uncertainty, nor for privacy professionals struggling to ascertain what the right criteria should be. Law 34/2002, of 11 July, on Services of the Information Society and Electronic Commerce ('the Information Society Law') also sets out the criteria for information society services using cookies. Rafael Garcia del Poyo, Samuel Martinez, and Mario Gras, Partner, Senior Associate, and Associate respectively at Osborne Clark LLP, provide an overview of the current laws and guidelines in place to regulate the use of cookies, and discusses their effectiveness.

Beyhes Evren / Signature collection / istockphoto.com

This situation arises by consequence of a two-factor combination: on one hand the ill-fated and still unborn proposed Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) ('the Draft ePrivacy Regulation'), which has been rejected by the Council of the European Union at the time of publication, and on the other hand, the already outdated Spanish implementation of the E-Commerce Directive (Directive 2000/31/EC) - Law 34/2002, of 11 July, on Services of the Information Society and Electronic Commerce ('the Information Society Law').

The two-speed world

The Information Society Law helps services who rely on the 'implied' consent of users after providing them with 'clear and complete information' on the use of cookies.

From a practical perspective, this entails a 'we use cookies and by using our services you accept them' scenario, a position that was endorsed by the Spanish data protection authority ('AEPD') back in 2013 within its Guidelines on the Use of Cookies ('the 2013 Guidelines on Cookies').

This standpoint would not have generated further issues if cookies had remained the harmless 'text files' they were at the time the Information Society Law was first modified to include the reference to cookies.

However, cookies saw their recipe improved and grew to become 'super-cookies,' also known as 'zombie cookies,' or more technically, flash cookies or local shared objects. Cookies even managed to mutate into new forms of tracking technologies, such as web beacons, pixels, and bugs, that today contribute to the generation of the so-called 'digital fingerprint1' of users.

With respect to data protection regulation, cookies were in their origin considered as capable of gathering personal information that was impossible to link to any individual in particular. However, as technology exponentially thrived, identifying individuals and their particular preferences became possible, so advertising companies began to take advantage of the huge technological advance provided by the cookies to increase the potential impact of their commercial communications.

Although somewhat late to the party from a technological standpoint, case law finally considered that cookies were collecting data that should be considered as individual's personal information, so regulators in various countries reacted to cookies, shyly at first, by considering that implied consent from individuals was enough to allow the use of cookies when surfing Internet websites.

The new paradigm

The GDPR came along with great changes for the data protection regime. 'Consent' became one the legal basis for the processing of personal information while, in contrast, the type of consent which was envisaged by the Draft ePrivacy Regulation could actually materialise in various forms, such as 'implied consent,' among others.

According to the definition contained in the GDPR, the consent of users/data subjects means 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'

As data protection and e-commerce legal regimes should be applied at the same time, and given that cookies are considered personal information by case law, the consent required by the Information Society Law for the use of cookies should now be understood as the one envisaged by the GDPR.

However, this view was not broadly shared at first, as it affects the long-established 'ads-funding' scheme of lots of websites. In spite of that initial struggle, more and more websites across Europe are adapting their cookie warnings to comply with this requirement, even more since two EU supervisory authorities, the Information Commissioner's Office ('ICO') in the UK and the French data protection authority ('CNIL') in France, have shared this view.

In that particular tug-of-war scenario, the AEPD has tried to offer some guidance by updating its guidelines on cookies, cautiously involving some of the Spanish entities directly connected to the big players of the ads market in the process of drafting, which were already involved in the drafting of the 2013 Guidelines on Cookies.

What is not a surprise is that the AEPD's updated Guidelines on the Use of Cookies of November 2019 ('the Guidelines') do not differentiate between cookies and any other tracking technologies, encompassing all these instruments under the 'data storage and retrieval devices' concept envisaged by the Information Society Law in its near-original wording from 2003.

Perhaps a more detailed and technical approach would have been desirable in order to ascertain which of these technologies are more invasive. However, no specific guidance has been offered with respect to the type of technology used, although, as IT experts very well know, they should not be treated as equals, given that the information that each tracking instrument is able to collect can differ significantly.

Thus, the only cookies-related classifications that the Guidelines establish are the 'controller' of the cookie (proprietary or third party cookies), the 'purpose' that cookies serve (technical, customisation, analytics, advertising, etc.), and the 'time' that cookies remain in users' devices (session, persistent).

The expected guidance

Across its 39 pages, the Guidelines thoroughly review the different elements considered by the AEPD as key to the processing of personal data by means of cookies, but the key point of the Guidelines is Section 3.2 ('the Section on Consent'), which relates to consent. The Section on Consent considers several modalities by which consent might be obtained, although the more controversial of those methods is a variation of the so-called 'layered information model.'

Although the layered information model is not at all new for the Spanish data protection laws, the Section on Consent introduces a feature that might be seen as controversial in light of the GPDR. The layered information model consists of providing the relevant information to data subjects separated into two different layers, a first layer containing 'basic' data protection information, and a second layer, which shall contain all the detailed information required by the GDPR.

This layered model has already been a widespread standard for cookies, where the banner or pop-up serves as the first layer, and the cookie policy as the second layer. In this sense, the Guidelines state that consent can be obtained from the first layer, for example, by means of a button for acceptance.

However, within the Section on Consent, it is also stated that some actions 'shall be also be understood as granting consent when users perform it after being informed on cookie use and being warned that to keep browsing would equal to accept cookies.'

The specific actions mentioned by the Guidelines are:

  • using the scrolling bar, only when information regarding cookies is accessible without using it;
  • clicking on any link included on the webpage, other than the links to cookie and privacy policy; and
  • in portable devices, swiping in any direction to access the contents.

This view has been subject to some criticism since the publication of the Guidelines, as it could be considered that the actions mentioned might be encompassed under the old concept of implied consent, in particular the use of the scroll bar. In fact, some critics consider that the above mentioned actions may not regarded as consent under the definition of the GDPR.

The arising doubts

Therefore, whether this form of granting consent for the use of cookies complies with the definition of the GDPR, and if the 'continue browsing model' (see below) is compliant with the elements required for a 'statement' or a 'clear affirmative action2,' is a question that should be subject to scrutiny.

In this sense, there are some points contained in the Guidelines that should be pointed out in relation to this way of granting consent to cookies, that are intended to serve as a guarantee of the rights and freedoms of data subjects. The Guidelines expressly mention that:

  • the first layer of information (cookie banner or pop-up) should expressly warn about this (according to the Guidelines, it would be sufficient to include an expression like, 'if you continue browsing, we consider that you accept cookies');
  • the first layer of information should include mechanisms for users to reject cookies or configure the categories of cookies to which they wish to consent;
  • the first layer of information should not contain any mechanisms for cookie acceptance (e.g. an 'I accept' button), so as not confuse users;
  • the first layer of information should be placed in a noticeable part of the website, so given its colour, dimension, or location, it can be ensured that it does not go unnoticed by users; and
  • no special categories of personal data are collected by cookies.

These particular obligations seem to offer some protection to user rights, although it might be difficult to construe that they fulfil the gap between the scrolling action and a 'clear affirmative action' in certain situations. This is because it is not inconceivable that users do not read or pay any attention to the cookies banner, even if it is presented in a clearly visible way.

On a normal day, users can browse through several dozens of websites, and the overwhelming number of ads that most of the websites contain has led users to quickly navigate through all those windows and pop-ups, closing them before even starting to read, in order to get access to the content.

This fact raises the question on how a user scrolling down on a website and rushing to the contents can give informed consent by simply scrolling down a website, when they have not even read the information on the purposes or on the addressees of its personal data.

On a separate note, but taking into account the aforementioned view on users' behaviour on websites, it seems also difficult to ascertain how scrolling on a website could be considered as a 'freely given and unambiguous indication,' as such action can even be carried out unintentionally by users.

Explicit consent

Another issue that we might identify after reading the Guidelines is the reference to explicit consent. Although not very different from standard consent3, explicit consent integrates a feature that might change the whole view on the aforementioned 'continue browsing' model for cookie consent.

As contained in the GDPR, but not defined by its wording, the European Data Protection Board ('EDPB') interpreted that explicit consent is 'required in certain situations where serious data protection risks emerge, hence, where a high level of individual control over personal data is deemed appropriate.'

The EDPB considers that as the GDPR already prescribes that a statement or clear affirmative action is a prerequisite for 'regular' consent, a standard that is therefore higher than one of the Data Protection Directive (Directive 95/46/EC)4, extra efforts should be undertaken by controllers to obtain explicit consent. In this sense, the EDPB states that, 'where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.'

Moreover, it is also stated by the EDPB that, 'for example, in the digital or online context, a data subject may be able to issue the required statement by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature.'

Example 17 of the Article 29 Working Party ('WP29') Guidelines on Consent under the GDPR envisages a less burdensome requirement, by considering that, 'A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance.'

According to the WP29's Guidelines on Automated individual Decision-making and Profiling for the purposes of the GDPR5 ('the WP29 Guidelines'), explicit consent is required by Article 22 of the GDPR, for example, in the context of automated decision-making, including profiling. The WP29 Guidelines are of particular importance given that all processing made through cookies is automated, and such automated processing normally gives rise to individual decision-making, which might have a significant effect on individuals.

This point is also similarly addressed by the Guidelines, indicating that the 'continue browsing' method for obtaining consent shall not be valid when explicit consent is required, stating, 'In many typical cases the decision to present targeted advertising based on profiling will not have a similarly significant effect on individuals.'

In our opinion, for a better understanding of the issue, this quotation should be completed with the remainder of the sentence, as originally written in the WP29 Guidelines: 'In many typical cases the decision to present targeted advertising based on profiling will not have a similarly significant effect on individuals, for example an advertisement for a mainstream online fashion outlet based on a simple demographic profile: 'women in the Brussels region aged between 25 and 35 who are likely to be interested in fashion and certain clothing items [emphasis added].''

Additionally, the WP29 Guidelines further envisaged that, 'However it is possible that it may do, depending upon the particular characteristics of the case, including:

  • the intrusiveness of the profiling process, including the tracking of individuals across different websites, devices and services;
  • the expectations and wishes of the individuals concerned;
  • the way the advert is delivered; or
  • using knowledge of the vulnerabilities of the data subjects targeted.'

Therefore, additional guidance from the AEPD in this respect would be welcomed, as most of the processing of personal data made through cookies is affected by some of these points, in particular, the tracking of individuals across different websites, devices, and services. By way of example, some aspects of social media network operations are based on such tracking.

Without intending to achieve an in-depth analysis of this question, it should also be considered that many processing activities made through cookies might include the international transfer of the personal data to providers located in third countries in which appropriate safeguards are not in place, and which shall be made relying on data subject's explicit consent.

Finally, processing of special categories of personal data, although not usually in cookie-based processing activities6, would also require explicit consent of the data subject when no other exception of Article 9(2) of the GDPR can be applied.

All these reasons pose another layer of concern on the use of the controversial way 'continue browsing' model for obtaining consent. It seems that this method might be much more restrained than the one that could be initially considered from reading the Guidelines, although it is not clear if this shall be the conclusion reached by many companies that are trying to maintain an easy and convenient way to obtain funding.

Conclusions

The data protection supervisory authorities play an instrumental part in the protection of individuals' rights and freedoms in an exponentially increasingly digitalised world. Guidance provided by such authorities should try to offer the most detailed and comprehensive ways to comply with applicable laws, while balancing the protection of the various interests at stake.

Offering a pro-business view is not always the most beneficial position in the long term, in particular for companies with a high risk of significant loss of image and reputation. In this sense, more detailed guidance from the AEPD on the different tracking technologies that are being used by most of the major players of the online environment would have been of great help with the current situation on cookies, as the Draft ePrivacy Regulation proposal is being repealed over and over again.

Moreover, doubts arise regarding the 'continue browsing' method for obtaining user consent mentioned in the Guidelines, as it could be argued that explicit consent should be required in a great number of situations, in which profiling produces significant legal effects on users, special categories of personal data are being processed, or certain international data transfers rely on users' consent.

The 'consistent application' principle of European laws, also expressly envisaged by Article 51(2) of the GDPR, entails the need to observe the criteria adopted by other supervisory authorities and to coordinate positions between the supervisory authorities themselves and at the same time with the European Commission, by means of the cooperation mechanism contained in Chapter VII of the GDPR.

Therefore, at the end of the day, the life expectancy of some views posed by the Guidelines might not be long, once the proposal for the Draft ePrivacy Regulation is finally passed, or if European courts are requested to rule on a particular controversy that directly addresses this subject matter.

Rafael García del Poyo Partner
[email protected]
Samuel Martinez Senior Associate
[email protected]
Mario Gras Associate
[email protected]
Osborne Clarke, Madrid


1. An interesting study on fingerprinting and the potential identification of individuals based on it drafted by the AEPD can be accessed at: https://www.aepd.es/media/estudios/estudio-fingerprinting-huella-digital-EN.pdf
2. According to the GDPR definition of consent, envisaged by its Article 4(11).
3. The ICO has considered that 'Explicit consent is not defined in the GDPR, but it is not likely to be very different from the usual high standard of consent […] Consent that is inferred from someone’s actions cannot be explicit consent, however obvious it might be that they consent. Explicit consent must be expressly confirmed in words.'
4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (repealed by the GDPR).
5. Article 29 "Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679", adopted on 3 October 2017, revised and endorsed by EDPB on 6 February 2018.
6. However, scenarios in which special categories of personal data are being processed on an internet environment are becoming more and more usual given the increasing variety of information society services (e.g. health related data for online beauty advice or online medical advice purposes).