Data, data and more data
Digital Analytics

Is my website complying to Spanish cookie legal framework?

09/10/2013
Is my website complying to Spanish cookie legal framework?

Last August the first trial process in Spain over cookie legal framework infringement was suited. The so-called 'cookie law' had seemed to have settled in some kind of limbo after its passing, April 1st 2012. Up to present day, in Spain still just a few companies have taken actions to adapt their websites to current legislation.

The opening of this first trial process may invite us to sum up and put on the table the key features of the cookie law, main question being: Does my website comply to cookie legislation?

The so-called 'cookie law' (RDL 12/2012, BOE 31 March 2012) is the Spanish developement of a European Union regulation in force since May 2011, which forbids (with certain exceptions and alternatives) the installation of cookies in the user's browser without his or her express informed consent (Directive 2002/58/CE). This European ruling effort is aimed from its very start in 2002 to protect users from possible abusive practices (mainly the commercial profit of their personal data without our consent).

However cookies have been piling up bad press among general public, it's convenient to recall that the information they send to their owners may attend to diverse purposes. Cookies may be used to allow the browsing within a particular website, enable some functions (such as a shopping cart), customize a website's interface or contents according to the user preferences, etc. Also, cookies may be used to collect anonymous visitors data in order to optimize website usability, design, etc. Regardless the alarm cookie law may transpire, cookies are not intended exclusively for marketing means, they are not spyware, and definitely shouldn't be used to serve unwanted advertising.

For this main reason, cookie law departs from the distinction between cookies aimed to perform technic tasks of the own website (such as shopping cart, language, session cookies, etc) and third party cookies (those which send information to servers external to the ones the website is hosted). First party cookies, destined to allow user's browsing within the own website, are exempt from the banning and may be installed without user's consent. However, all the third party cookies (those which send information to external servers) require before being installed an express consent from the user. This consent must be active and informed: used must have all the direct, complete information, and give his or her consent in a manifest, conscient manner.

A key aspect of the cookie law is the regulation of ad network or ad agencies activity in making use of users' browsing data to, for instance, offer personalized ad spaces. Regardless, Spanish cookie law forces every owner of a professional website stablished in Spain (or whose services are specifically addressed to Spanish market) to comply to this 'informed consent' action before installing any third party cookie. Our website may be installing third party cookies without our knowledge, such as those sent by external content modules (such as google maps iframes) or CMS (as wordpress, joomla, etc) and their plugins. For this reason, if you're not sure that your website is complying to current legal framework, we advise following steps:

1. Audit the cookies your website is installing. Some plugins, content managers, social buttons, etc, may be sending cookies to your users' browsers. Make an inventary of all the cookies your web is installing, specifying the details for each one of them (owner, purpose, expiration date, etc). Next, consider which ones you want to do without and deactivate them by corresponding application programming.

2. Write a new Privacy Policy document for your website. There, explain in a direct and clear speech the type of cookies your website installs, and what's the purpose of each one. Include a table with all the cookies your website installs, specifying the use and expiration date for each one of them. Make express, also, that in case someday your website includes third party cookies, you will ask for your users' express consent.

If your website doesn't use third party cookies, you're good just like that. However, as the trial process opened last August shows, analytic cookies, regardless being first party, they require a special consideration. If your analytics don't identify users, a Privacy Policy as described in the above paragraph is enough - but in case your analytics include user identifying (for instance by custom variables in Google Analytics), you will need the express informed user consent, and accordingly stop any cookie installation before his or her consenting.

For this objective, it is not enough with some floating element notifying the installation of third party cookies - it is needed to get an active confirmation from the user, acknowledging the understanding of the conditions he or she is accepting by continuing the website browsing. A possible solution is to interpose a welcome splash page or popUp that prevents the page from loading completely. This element must inform the user clearly that, by continuing his or her website browsing, s/he is accepting the installation of cookies according to website's privacy policies. In case users are identified (in order to achieve a multi-device tracking in analytics, for instance), it must be clearly notified at the Privacy Policy document.

It is very important to make sure that, whatever solution is used to prevent the automatic cookie installation as the browser enters the website for the first time, there is no information lost (such as the procedence for new visitors, for instance).

As the many voices arised against the cookie law show, data privacy laws are still part of the big primordial soup that is still in the process of self defining  in the new digital society forms (as it's the case with file sharing and author rights). Data protection laws are in a maturing stage that seems to have a long trajectory ahead. By now, by our side, let's just make sure we're complying with the current legal framework in order to avoid possible unpleasant surprises.

Next Previous
This website uses cookies. If you continue browsing we consider that you agree our Cookie policy.