Last August the first trial process in Spain over cookie legal framework infringement was suited. The so-called 'cookie law' had seemed to have settled in some kind of limbo after its passing, April 1st 2012. Up to present day, in Spain still just a few companies have taken actions to adapt their websites to current legislation.
The opening of this first trial process may invite us to sum up and put on the table the key features of the cookie law, main question being: Does my website comply to cookie legislation?
The so-called 'cookie law' (RDL 12/2012, BOE 31 March 2012) is the Spanish developement of a European Union regulation in force since May 2011, which forbids (with certain exceptions and alternatives) the installation of cookies in the user's browser without his or her express informed consent (Directive 2002/58/CE). This European ruling effort is aimed from its very start in 2002 to protect users from possible abusive practices (mainly the commercial profit of their personal data without our consent).
However cookies have been piling up bad press among general public, it's convenient to recall that the information they send to their owners may attend to diverse purposes. Cookies may be used to allow the browsing within a particular website, enable some functions (such as a shopping cart), customize a website's interface or contents according to the user preferences, etc. Also, cookies may be used to collect anonymous visitors data in order to optimize website usability, design, etc. Regardless the alarm cookie law may transpire, cookies are not intended exclusively for marketing means, they are not spyware, and definitely shouldn't be used to serve unwanted advertising.
For this main reason, cookie law departs from the distinction between cookies aimed to perform technic tasks of the own website (such as shopping cart, language, session cookies, etc) and third party cookies (those which send information to servers external to the ones the website is hosted). First party cookies, destined to allow user's browsing within the own website, are exempt from the banning and may be installed without user's consent. However, all the third party cookies (those which send information to external servers) require before being installed an express consent from the user. This consent must be active and informed: used must have all the direct, complete information, and give his or her consent in a manifest, conscient manner.
A key aspect of the cookie law is the regulation of ad network or ad agencies activity in making use of users' browsing data to, for instance, offer personalized ad spaces. Regardless, Spanish cookie law forces every owner of a professional website stablished in Spain (or whose services are specifically addressed to Spanish market) to comply to this 'informed consent' action before installing any third party cookie. Our website may be installing third party cookies without our knowledge, such as those sent by external content modules (such as google maps iframes) or CMS (as wordpress, joomla, etc) and their plugins. For this reason, if you're not sure that your website is complying to current legal framework, we advise following steps:
1. Audit the cookies your website is installing. Some plugins, content managers, social buttons, etc, may be sending cookies to your users' browsers. Make an inventary of all the cookies your web is installing, specifying the details for each one of them (owner, purpose, expiration date, etc). Next, consider which ones you want to do without and deactivate them by corresponding application programming.
It is very important to make sure that, whatever solution is used to prevent the automatic cookie installation as the browser enters the website for the first time, there is no information lost (such as the procedence for new visitors, for instance).
As the many voices arised against the cookie law show, data privacy laws are still part of the big primordial soup that is still in the process of self defining in the new digital society forms (as it's the case with file sharing and author rights). Data protection laws are in a maturing stage that seems to have a long trajectory ahead. By now, by our side, let's just make sure we're complying with the current legal framework in order to avoid possible unpleasant surprises.