Serving Cookies in Spain
by Samuel Martin, Senior Associate, Asensi Abogados
Nobody in the 20th century would expect that serving cookies would be such a complex matter for European regulators in the following century and nothing does it have to do with cholesterol.
When speaking about cookies in the Internet, a broad approach to them needs to be considered as it covers every software installed in users devices when they access a website or download a software application, by which the owner of such website/app or any of its providers, collects information of any kind from such users and his/her device.
Said this, it was in 2009 when the European legislator addressed a concern that had for years been floating in the online world by putting it down in black and white. Thus, Directive 2009/136/EC set out a new approach to serving cookies to users by enhancing the information that must be provided to users about such cookies and setting out the obligation to request their consent before any cookies are served.
Implementation of this Directive by EU Member States has been late and confusingly addressed in most of the jurisdictions which has led the Internet based industry to turn its back on this matter relying in the lack of enforcement by regulators which have been for years aware of such confusion and the absurdity of chasing “one” when “everyone” is in identical non-compliant situation.
Things have changed in Spain -this time hopefully for better- and further to the implementation of the Directive in the Spanish Law (Article 22 of the Ley 34/2002, de 11 de Julio, de Servicios de la Sociedad de la Información y de Comercio Electrónico), the Spanish Data Protection Agency, together with representatives of the online industry, have published the first guide in Europe to address the two main obligations of information and consent for the installation of cookies.
Relying in a vast failure to comply is not a possibility anymore since the industry is rapidly adopting any of the proposed models and uncertainty on how to interpret the law has also been removed. Good thing: complying in Spain is complying everywhere else in the EU.
The guide defines the information that must be given to users as enough to ensure that the user (i) understands the purpose of cookies, this is what are their features, (ii) knows what use is made of such data, this is what do we do with that information, (iii) knows who this information is disclosed to and (iv) knows how he is able to avoid this data collection.
Regarding consent, different options to deem it granted are available but they always must respect the fact that mere user inactivity involves no provision of consent, also that users must be at every moment enabled to revoke such consent and that the tools for such revocation should be easily available.
Online gaming operators, basing their whole business in users accessing their platforms are a 1ST level target for the guide and we can already find a few good examples of compliance.
Review both your cookies and your cholesterol. You will not regret it.
SAMUEL MARTIN
Senior Associate
Head of IT Law Department
Asensi Abogados