Adaptation cookies RSPD​

DUTY OF DISCLOSURE

1 | COOKIES ADAPTATION 2024 (Review December 2023)

If the company has a website, it must adapt the cookie notice to both the Guidelines 05/2020 on consent and the Guidelines 3/2022 on misleading patterns that have been issued by the European Data Protection Board (EDPC).

The main change to the former is that the traditional ‘Continue browsing’ text in a website's initial cookie notice is not a valid form of consent.

And the main change in the second one is that the actions of accepting or rejecting cookies must be presented in a prominent place and format, and both actions must have the same level of importance, without it being more complicated to reject them than to accept them.

Therefore, we have adapted the information texts for the first layer with basic information and the link to the second layer with the complete information text to both Guidelines.

The company must contact the web designer or the company that created the web page for them to make the changes to the new texts in both the first and second layers, adding the cookies used by the site, their purpose and duration to these new criteria, which must be implemented by 11/01/2024 at the latest.

2 | WEBSITE​

Cookies:

Firstly, it is necessary to point out that cookies used for any of the following purposes are exempt from compliance with the obligations established in article 22.2 of Law 34/2002, of 11 July, on information society services and electronic commerce (hereinafter LSSI):

- Allow only communication between the user's equipment and the network.

- Strictly to provide a service expressly requested by the user.

En este sentido el Grupo de Trabajo de la AEPD del Artículo 29 en su Dictamen 4/2012 ha interpretado que entre las cookies exceptuadas estarían aquellas que tienen por finalidad:

- User input cookies

- Authentication or user identification cookies (session only)

- User security cookies.

- Media player session cookies.

- Session cookies for load balancing.

- User interface customisation cookies.

- Plug-in cookies to exchange social content.

Therefore, it can be understood that these cookies are excluded from the scope of application of article 22.2 of the LSSI and, therefore, it would not be necessary to inform or obtain consent for their use. On the other hand, it will be necessary to inform and obtain consent for the installation and use of any other type of cookies, whether first-party or third-party, session or persistent, being subject to the scope of application of article 22.2 of the LSSI.

In the event that personal data are collected from users by means of cookies other than those mentioned above, prior notice should be given of the activation of these cookies with the information texts provided.

The regulation does not specify ways of informing and obtaining consent, nor is there a single way of fulfilling this duty, but there are multiple systems for doing so. One simple way to fulfil your duty to inform about cookies is through a system known as ‘layered information’.

In this way, when the user accesses your website, the essential information is shown in a first layer and, if he/she wants to complete the information, it is provided in a second layer, which he/she would access by clicking on a button or link.

The installation of cookies will only be valid once the user has given unequivocal consent (by clicking the ACCEPT button), which must be displayed before accessing the website. If this action is not taken, the website will not be displayed and cookies will not be installed, as stated by the European Data Protection Committee (ECDC) in the Guidelines 05/2020 on Consent. The Committee considers that the option to ‘continue browsing’ does not under any circumstances constitute a valid form of consent.

It is also pronounced in the Guidelines 03/2022 regarding how the cookie options should be displayed, the buttons or equivalent mechanisms, which should be easily visible and should have the same size for both options, both Accept (Accept Cookies, Consent or similar text) and Reject (Reject Cookies or similar text). Depending on each website and the type of technology it uses, another button may also be added, similar or not to the Accept and Reject buttons, which displays or leads to a configuration panel that allows granular configuration of all the types of cookies that are used.

In any case, taking into account the text of the notice and the mechanisms used, the function fulfilled by each of these mechanisms should be obvious to the user. In addition:

- The user shall not be given the impression that he/she has to accept cookies in order to browse the website.

- The user may not be clearly prompted to accept cookies.

- The colour or contrast of text and buttons (or equivalent mechanisms) must not be obviously misleading to users, so as to lead to unintended consent. It is not valid, for example, for the option to reject cookies to be a button with text that does not contrast sufficiently with the colour of the button and therefore cannot be read.

Below are the texts that, as an example, the Spanish Data Protection Agency (AEPD) proposes for both the first and the second layer. It is up to the company to choose the best option that suits its needs and its website.

IMPORTANT NOTE:

Below, and throughout this document, you will find in brackets and with the text in red, the notes in which I explain the necessary actions to be taken.

It is vital to pay attention to these texts because they will indicate how the web designer should proceed in order to comply correctly with the regulations on personal data protection and avoid complaints in this regard.

Failure to comply with the legal obligations imposed by the regulation, the obligation of transparency and the obligation to obtain the user's consent could result in the company being sanctioned by the AEPD.

For this reason, we believe that it is essential, if you have a website, to comply with each and every one of the recommendations explained in this document.

Information on the first layer of cookies

OPTION 1

COOKIE INFORMATION

We use our own and third-party cookies to analyse the use of the website and to show you advertising related to your preferences based on a profile of your browsing habits (e.g. pages visited). Cookie policy. 
 [NOTE: Cookie policy would be a link to the second layer page.]​

OPTION 2

COOKIE INFORMATION

Configure without acceptance [NOTE: Set without accepting would be a link to the cookie settings page].

We use our own and third-party cookies to analyse the use of the website and to show you advertising related to your preferences based on a profile of your browsing habits (e.g. pages visited). ​More information. 
[NOTE: More information would be a link to the second layer page.] Accept cookies?

Set up Cookies

The link or button to manage cookies should take the user directly to the settings panel, without the user having to scroll through large amounts of text looking for the information, which should remain permanently accessible. The panel may be integrated into the second layer of information.

To facilitate the selection, two buttons may be implemented on the dashboard, one to accept all cookies and one to reject all cookies, with this option being recommended the greater the number of different cookies used. If the second or third example is used as a way of obtaining consent, a button to reject all cookies should be included on the panel to respect the requirement that it should be as easy to withdraw consent as it is to give it. For this purpose, for example, this requirement will be considered satisfied if the settings panel includes a ‘Reject all cookies’ button or a button to save the choice made by the user and, in this second case, it is also expressly stated that, if the user saves his choice without having selected any cookies, it will be equivalent to the rejection of all cookies. With regard to this second possibility, it should be remembered that in no case are pre-ticked boxes in favour of accepting cookies admissible. In this case of the save button, the following may be indicated:

Clicking ‘Save settings’ will save the cookie selection you have made. If you have not selected any option, pressing this button will be equivalent to rejecting all cookies.

However, it is advisable to take into account the following rules:

- At a minimum, cookies should be grouped according to their purpose (e.g. the user could choose to accept analytical cookies and not behavioural advertising cookies). Within each purpose, and at the choice of the website publisher, cookies could be grouped according to the third party that uses them (e.g. the user could choose to accept analytical cookies from one owner and not another).

- Within each purpose, and at the choice of the website editor, cookies could also be grouped according to the third party responsible for them (for example, the user could choose to accept analytical cookies from one third party and not those from another).

- In relation to third party cookies, it is sufficient to identify them by their name or by the brand by which they are identified to the public, without including the full company name.

- Maximum granularity (cookie a cookie selection) should be avoided, as too much information makes decision-making difficult.

Information on the second layer of cookies

a) Definition and function of cookies

What are cookies?

A cookie is a file that is downloaded to your computer when you access certain websites. Cookies allow a website, among other things, to store and retrieve information about the browsing habits of a user or their computer and, depending on the information they contain and the way you use your computer, they can be used to recognise the user.

This website uses cookies and/or similar technologies that store and retrieve information when you browse. In general, these technologies can be used for a variety of purposes, such as, for example, recognising you as a user, obtaining information about your browsing habits, or customising the way in which content is displayed. The specific uses we make of these technologies are described below.

What kinds of cookies are there?

Depending on who manages them:

- Own cookies: these are those that are sent to the user's computer from the domain managed by the website visited and from which the service requested by the user is provided.

- Third-party cookies: these are cookies that are sent to the user's computer from a domain that is not managed by the website visited, but by another entity that processes them.

Depending on the purpose:

- Technical cookies: are those that allow the user to browse through a website and use the different options or services that exist on it, including those that allow us to manage and operate the website and enable its functions and services, such as, for example, controlling traffic and data communication, identifying the session, accessing restricted access areas, remembering the elements that make up an order, carrying out the purchase process of an order, managing payment, controlling fraud, applying for registration or participation in an event, counting visits, etc.

- Preference or personalisation cookies: these are cookies that allow information to be remembered so that the user can access the service with certain characteristics that can differentiate their experience from that of other users, such as, for example, the language, the number of results to be shown when the user performs a search, the appearance or content of the service depending on the type of browser through which the user accesses the service or the region from which they access the service, etc.

- Analysis cookies: These cookies allow us to quantify the number of users and thus carry out the measurement and statistical analysis of the use made by users of the service offered. To do this, your browsing on our website is analysed in order to improve the range of products or services that we offer.

- Advertising cookies: These cookies allow us to manage the supply of advertising space on the website as efficiently as possible, adapting the content of the advertisement to the content of the service requested or to the use you make of our website. To do so, we can analyse your browsing habits on the Internet and we can show you advertising related to your browsing profile.

Depending on the period of stay:

- Session cookies: these are designed to collect and store data while the user accesses a website. They are usually used to store information that only needs to be kept for the provision of the service requested by the user on a single occasion (for example, a list of products purchased) and disappear at the end of the session.

- Persistent cookies: these are cookies in which the data remain stored in the terminal and can be accessed and processed for a period defined by the party responsible for the cookie, which can range from a few minutes to several years.

b) Information on the type of cookies and their purpose

Which cookies do we use?

[NOTE: This section must be completed by the company and will vary depending on the characteristics and technology of each website. Consult the programmer or the company that designed the website. Each cookie used must be identified, stating whether it is your own or from third parties, its purpose and the period of conservation. A procedure for selecting and eliminating them must also be enabled].

c) Identifying who is using cookies

[NOTE: If the information obtained by the cookies is processed by a third party, the third party must be identified, which can be done in a simple way with its name or brand and a link to its cookie policy].

d) Information on how to accept, refuse or revoke consent

[NOTE: If the company has a cookie configuration system, options 2-3 of the first layer must be linked to it or deployed on this page of the second layer and, if it does not have one, the following browser configuration must be used].

Cookie settings for the most popular browsers (these steps may vary depending on your browser version)

Chrome:

Go to Settings by clicking on the customisation icon at the top right with three vertical dots.

Go to Privacy and Security.

Select Cookies and other website data.

There you can choose how cookies are controlled.

Edge:

Go to Settings by clicking on the three horizontal bars at the top right of the browser.

Click on Settings and then on Cookies and site permissions.

There you can choose how cookies are controlled.

Firefox:

Go to Settings by clicking on the three horizontal bars at the top right of the browser.

Click on Privacy & Security.

In Cookies and site data you can manage everything related to cookies.

Opera:

Go to Easy Settings by clicking on the three horizontal bars at the top right of the browser.

Click on Privacy and Security.

In Cookies and other site data you can manage everything related to cookies.

Safari para OSX:

Go to Preferences, then Privacy.

Here you will see the option Block cookies for you to set the type of blocking you want to do.

Safari para iOS:

Go to Settings, then Safari.

Go to Privacy and Security, you will see the option Block cookies for you to adjust the type of blocking you want to do.

Android:

Launch the navigator and press the Menu key, then Settings.

Go to Security and Privacy, you will see the Accept cookies option to check or uncheck the box.

e) Other information on cookies

No data is transferred to third parties and no automated profiling is carried out with the information obtained from cookies.

You can access more information about your privacy in the Legal Notice of the Web.

In addition, you can always lodge complaints about your rights with the Supervisory Authority (www.aepd.es) which also has several guides on cookies and privacy on the web.

How the information should be displayed:

Both the cookie information and the privacy policy and legal notice must comply with the following rules:

a) Information or communication should be concise, transparent and intelligible.

The information should be brief, should not be extensive in its content, and should use clear and simple language, so that it can be understood by the average user, avoiding overly legal texts, naming for example articles of the regulation, or quoting paragraphs of the regulation literally.

We must take into account the type of average user who visits our website and adapt the style of the language of the information to their technical level.

b) Clear and simple language should be used, avoiding the use of phrases that lead to confusion or detract from the clarity of the message.

For example, phrases such as:

‘we use cookies to personalise your content and create a better experience for you’.

‘to improve your navigation’.

‘we may use your personal data to provide personalised services’.

Terms such as ‘may’, ‘could’, ‘some’, ‘often’, and ‘possible’ should also be avoided as it is not sufficiently clear whether we are using them or not.

(c) The information must be easily accessible.

The user does not have to search for the information, it has been standardised that when the web address is entered, the informative text of the cookies appears in the foreground in a ‘lightbox’ (light box) dimming the content in the background of the main page.

It should be clear to the user where and how they can access all the information relating to their privacy, the links should be clearly visible and direct them directly to the information under a commonly used term such as ‘cookie policy’ or ‘cookies’ which is also standardised to be placed in the ‘footer’ (bottom of the web page) of the page visible at all times of navigation of the same.