IAPP-GDPR Web Banners-300x250-FINAL
DPI16_Banner_300x250 WITH COPY

By Gonzalo Erro and Álvaro Del Hoyo Manene

This article provides key points from the "Guía sobre el uso de las cookies,” or the Spanish cookie guidance, released on April 29 by the Spanish Data Protection Authority (AEPD) and Anunciantes, AutoControl, ADigital and IAB Spain, representatives of the industry.

Origins, Premises and Motivations

A long time has passed since the 13th of July 2001 when an amendment led to what finally became Article 5 Paragraph 3 of Directive 2002/58/EC, the first online tracking regulation.

Since then, online advertising has been demonstrating its growing efficiency and reach when compared to traditional advertising means such as television, newspapers and magazines. Concerns regarding the privacy implications of online advertising have increased at the same pace, so that despite uncoordinated industry members’ own efforts to offer a solution, in 2007 emerged the Do-Not-Track initiative in the U.S., and in Europe arose review of Article 5 Directive 2002/58/EC.

Finally, as a result of legislative procedure that concluded on Directive 2009/136/EC approval, Article 5.3 of Directive 2002/58/EC was amended with two goals: extending its applicability on the ways of storing and gaining access to information on subscriber and user equipment, and requiring that the subscriber or user concerned has given his or her consent instead of just having been provided with clear and comprehensive information.

Whether subscriber or user consent should be implicit or explicit is not a specific issue among European Union Member States, and it is an important issue for the industry players who must understand how and when it is possible to store information or access information on subscriber and user equipments. It varies from some member states to others and has important consequences in usability and economic terms.

Spanish Cookies Guide

Directive 2002/58/EC Article 5.3, as amended by Directive 2009/136/EC, was transponded into Article 22.2 Spanish Law 34/2002 Information Society Services and Electronic Commerce (LSSICE).

The guide contains recommendations and guidance on how to satisfy the requirements of Art. 22 of LSSICE, exclusively focused on cookies or http cookies and flash cookies, and not in the quite broad list of other tracking means such as Silverlight isolated storage, Internet Explorer userData Storage, HTML5 storage, http ETags, history sniffing, caching, HTML5 canvas caching, http authentication or device fingerprinting

The guide comprehends a set of orientations, guarantees and obligations that the industry commits to spread and apply. It does not have the force of law. The AEPD will not take enforcement action over a failure to adopt good practice or to act on the recommendations set out in this guide unless this in itself constitutes a breach of the privacy regulations, mainly the Organic Law 15/1999, on the Protection of Personal Data (LOPD) and the Royal Decree 1720/2007, which approves the regulation on the protection of personal data (RLOPD).


The guide is focused on cookies and other similar means to store and gain access to data stored on subscriber and user equipments—“such as local shared objects, flash cookies, etc.”–no matter if they are computers, mobile phones or tablets. They do not mention others such as smart TVs being used by natural persons or legal entities when using information society services.

Following LSSICE, certain kind of cookies are exempted from the guide: those necessary for carrying out or technically facilitating the transmission of a communication over an electronic communications network and those strictly necessary in order to provide an information society service explicitly requested by the recipient

Regarding this topic, the guide is aligned with the Article 29 Working Party on its Opinion 04/2012 on Cookie Consent Exemption.

Who Should Comply?

The guide distinguishes between:

  • First Party Cookies - The website editor is responsible for notifying about the purpose of data processing and for obtaining user consent
  • Third Party Cookies - In this case, both the website editor and the third party are jointly responsible for notifying about the purpose of data processing and for obtaining user consent.

Key Legal Principles

The guide establishes several options to meet the two main legal requirements set by law: the duty to inform and consent.

Duty to Inform - Article 22.2 of the LSSICE states that the information provided to users about cookies must be "clear and complete." The guide advises how to comply, taking into account:

  • Information to be provided: Usage of cookies and purposes of their processing, ways to opt out and eliminate cookies, and ways to manage cookies and permissions to usage them
  • How to provide the information: Choosing language and content of information considering an average user, considering that nowadays they lack knowledge regarding cookies, taking into account web design and functioning, and usability and visibility issues such as format, location, size of links and other technique
  • Ways to inform:
  • Information on links provided on web upper side or at the bottom;
  • Information links easy to view when logging in or before accessing a service or downloading and application;
  • Traditional offline methods, or
  • Layered approach, first, notifying cookies presence, their purpose, if they are first or third-party cookies, that a particular action will mean users provide their consent and link to second layer of information. Second layer of information should provide information in detail describing the cookies and their purposes, their kind and purposes, how to deactivate or eliminate them and if they are first party or third-party cookies.
  • Consent – To previously obtain the consent from the user is mandatory to install and manage a cookie. The guide confirms that consent might be obtained by explicit formulas, such as when configuring a web site, by means of specific configuration of browser or add-ons,  and clicking on a specific section saying “I agree”, “I accept” or other similar formulas, or even implied or deduced from actions performed by the user; i.e., scrolling down, clicking on website link. But for both explicit and implied consent to be valid, it is necessary that the user has been informed previously. The guide also includes the right of users to receive information on how to disable or delete cookies and how to withdraw the consent previously given.
  • Cookies installation – Only after a user has been previously and fully informed, consent has been granted by any of the ways explained above and taking into account that mere user inactivity should never imply consent.
  • Changes – As long as consent has been gathered in a valid way, there is no need to inform again any time a user is coming back to the website, unless changes have been deployed. Information regarding any changes should be provided to users to inform and acquire their consent accordingly. This implies a regular review process of present cookies, related information policies and consent gathering, including the generation and retention of electronic evidences of information provision and granted consent.

Gonzalo Erro, CIPP/E, CIPP/ IT, works as a client data protection architect at Accenture. He can be reached at

Álvaro Del Hoyo, CIPP/IT, is a business development manager for telco, internet, media and entertainment industries in S21sec, a Spanish multinational exclusively focused on information security. He can be reached at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»