Charting a Digital Future: Cookies and User Consent in Startups

What are cookies?

The CJEU judgment of 1 October 2019 in Case C-673/17 states that “cookies are files that are placed on the computer of users of an Internet site by the provider of that site and can be accessed again when they revisit the site, in order to facilitate Internet browsing or transactions or to obtain information about the behaviour of those users”.

What do websites use cookies for?

The purpose of cookies is to store data, remember the user’s actions or preferences over time. This data can be updated and retrieved by the entity that has installed them or by a third party, when the user connects to the website again. Cookies can also be used to obtain information from users in order to tailor advertising to online behaviour. In conclusion, their purpose is to store information and retrieve information already stored.

What types of cookies are there?

The Guide on the use of cookies published by the Spanish Data Protection Agency (“AEPD“), and updated in July 2023, classifies cookies according to a number of categories.

a) Types of cookies depending on the entity that manages the equipment or domain from which the cookies are sent and processes the data obtained:

• First-party cookies: “those for which the publisher itself is responsible and which are generally sent to the user’s terminal equipment from a computer or domain managed by the publisher itself and from which the service requested by the user is provided”.
• Third-party cookies: “those for which an entity other than the publisher is responsible and which are generally sent to the user’s terminal equipment from equipment or a domain that is not managed by the publisher, but by another entity that processes the data obtained through the cookies”.

b) Types of cookies according to their purpose.

Some purposes may be:

• Technical cookies: “those that allow the user to browse through a website, platform or application and use the different options or services that exist therein”. Also belonging to this category are those cookies that allow the management of advertising spaces that the publisher has included on a website, application or platform without collecting user information for other purposes.

• Preference or personalisation cookies: “those that allow information to be remembered so that the user can access the service with certain characteristics that can differentiate their experience from that of other users”.

• Analysis or measurement cookies: “those that allow the party responsible for them to monitor and analyse the behaviour of the users of the websites to which they are linked, including the quantification of the impact of advertisements”.

• Behavioural advertising cookies: “those that store information on the behaviour of users obtained through the continuous observation of their browsing habits, which allows a specific profile to be developed in order to display advertising based on the same”.

c) Types of cookies depending on the length of time they remain active

• Session cookies: “those designed to collect and store data while the user accesses a website. They are usually used to store information that is only of interest for the provision of the service used by the user on a single occasion and disappear at the end of the session”.

• Persistent cookies: “those in which the data remain stored in the terminal and can be accessed and processed for a period defined by the party responsible for the cookie, which can range from a few minutes to several years”.

What obligations does the regulation impose on the use of cookies?

Law 34/2002, of 11 July, on information society services and electronic commerce (LSSI), as established in the aforementioned AEPD Guide, is applicable to “cookies, understood as any type of data storage and retrieval device used in a user’s terminal equipment for the purpose of storing information and retrieving information already stored”, as established in article 22.2 LSSI.

The obligations imposed by the implementing legislation are: (i) the obligation of transparency; and (ii) the obligation to obtain consent.

What does the transparency obligation comprise?

According to Article 22.2 LSSI, users must be provided with “clear and comprehensive information” on the use of data storage and retrieval devices. In particular, “about the purposes of the data processing”. As stated in the AEPD Guide, “the information on cookies provided at the time of requesting consent must be sufficiently complete to allow users to understand their purposes and the use to which they will be put”.

Information should be concise, transparent and intelligible, using clear and simple language. The use of confusing phrases or phrases that detract from the clarity of the message should be avoided. In addition, the information should be easily accessible.

Si te ha interesado este artículo no dudes en leer:

Can I monetize tracking cookies?

Tracking cookies are those data that allow you to track your IP, as well as other websites you visit. These are often used for advertising. Well, they allow segmenting the public and doing targeted marketing.

What is meant by consent?

For cookies to be used in the sense described in this article, the user’s consent must always be obtained. In the CJEU judgment of 1 October 2019 in Case C-673/17, the consent of the data subject is defined as “any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed”.

How should consent be given?

According to the CJEU judgment of 1 October 2019 in Case C-673/17, “the requirement of a manifestation of the data subject’s wishes clearly suggests active rather than passive behaviour”. The data subject’s consent can make such processing lawful provided that such consent has been given unambiguously by the data subject. The aforementioned judgment confirms that “only active conduct on the part of the data subject expressing his consent can fulfil this requirement”.

Is the consent given where the storage of information or access to information already stored is authorised by means of a box ticked by default by the service provider from which the user must untick if he does not wish to give his consent?

It is not considered valid, according to the CJEU Judgment of 1 October 2019 in Case C-673/17. Moreover, this manifestation of intent must be specific, since it “must have the specific purpose of the data processing in question and may not be inferred from a manifestation of intent having a different purpose”.

Does user inactivity imply the provision of consent?

No, under no circumstances. Consent must be obtained through an unequivocal action by the user.

What information should be included in the cookie policy?

As indicated by the AEPD in its Guide on the use of cookies, the following information must be included in the cookie policy:

• Definition and generic function of cookies.
• Information on the type of cookies used and their purpose.
• Identification of who uses cookies.
• Information on how to accept, refuse or revoke consent to the use of cookies.
• Information on transfers of data to third countries made by the publisher, where applicable.
• Where profiling involves automated decision-making with legal effects for the user, it is necessary to provide information on the logic used and the relevance and consequences of such processing for the user.
• Data retention period.

If you liked this article, you may also find it interesting to read the following one:

Regulation on Cookies: GDPR, ePrivacy Regulations and Cookie Act