What are cookies and how do they work?

What are cookies? Cookies are temporary files that are installed on the device of the user who accesses websites. They usually have several purposes, sometimes for identification and other times to analyse the behaviour or conduct of the individual browsing the Internet. In essence, these types of files provide information about the website user.

Along with cookies, there are other information storage technologies (scripts, tracking pixels or other add-ons) that serve the same purpose.

How do cookies work? In general, cookies are stored on the user’s device when they access websites. When the user returns to said site, cookies enable the website to identify the user’s device and therefore remember the interactions that took place between said device and the website.

What are the regulatory requirements applicable to the use of cookies?

First, it is essential to note that the use of cookies is fundamentally regulated in two legal provisions. On the one hand, Article 22 of the Law on Information Society Services and Electronic Commerce (Law 34/2002, of 11 July, better known as LSSI), which allows the use of cookies or any another data storage and retrieval device, provided that the user has given informed consent to do so. On the other, the General Data Protection Regulation (hereinafter, GDPR) states in its Recital 30 that when the use of a cookie involves the processing of personal data, the data controllers must ensure compliance with personal data protection legislation. A cookie is personal datum of the individual, since it provides information about them.

Based on these provisions, website owners that use cookies must comply with two fundamental requirements: on the one hand, that of transparency, and on the other, that of obtaining user consent for their use. The former represents the duty to inform the subject about the existence of cookies in a concise, transparent and comprehensible manner. The latter means that the user must expressly consent to the installation of these files, and they may revoke said consent at any time (except in the case of technical or strictly necessary cookies).

It is important to remember that there are different types of cookies, such as: technical cookies, analytical cookies, profiling cookies, etc. Moreover, it is essential to keep in mind that technical cookies are the only ones that can be placed on a user’s device without their consent since they are necessary for the proper functioning of the website.

What is a cookie banner (pop-up)?

In terms of data protection, the cookie banner or pop-up is the first layer of information about the cookie processing carried out by a website. In short, the cookie banner is a notice or pop-up window that appears when we access a website.

What are the recent developments on the use of cookies introduced by the Spanish Data Protection Agency (AEPD) in its 2023 Guidelines on Cookies?

In February 2023, the European Data Protection Board (EDPB) published a Report on the requirements that a cookie banner must include. In July 2023, the AEPD updated the Guidelines on the use of cookies to adapt them to said Report, granting website owners a period of six months to meet the requirements of these new Guidelines. The period recently ended on 11 January.

In summary, the changes included are the following:

• A reject button must be included in the cookie banner, along with the accept and settings buttons. This first layer of information must therefore contain:
• An “accept” button to consent to the use of cookies.
• A “reject” button to reject the use of cookies (except for technical or strictly necessary cookies)
• A “settings” button or visible mechanism that takes users to or displays a settings panel that allows them to accept or reject cookies manually, at least depending on their purpose.
• These buttons must have the same appearance, meaning that they must have the same formal and visual features for the user (i.e., colour, size, height, etc.). Rejecting cookies cannot be more difficult than accepting them.
• Likewise, as already established in the previous regulations, cookies must not be pre-ticked. Pre-ticking the box for cookie consent is an illegal action.
• If the website only uses technical cookies, the cookie banner must state “this website only uses its own cookies for technical or strictly necessary purposes”. Remember that this is the only case when obtaining the user’s consent is not required.
• What are the steps to follow for legal use of cookies?

As explained previously, if we wish to comply with the regulations on cookies, we should take into account the following tips:

• The cookie banner is the first layer of information for this processing and it must comply with the duty of information in accordance with the GDPR.
• • Moreover, all cookie banners on any website must include: (i) “accept” button; (ii) “reject” button, and (iii) button or access to the cookies settings panel. These buttons must have the same features (colour, shape, size, etc.).
• • The “accept” option cannot be green and the “reject” option cannot be uncoloured or red. Withdrawing consent cannot be more difficult than giving it.
• Pre-ticked options for accepting cookies to obtain consent are not permitted under any circumstances. This is an illegal action.
• • Remember that the only case where the user’s consent is not required is when technical or strictly necessary cookies are accepted.

The following two examples of cookie banners comply with current regulations:

Helena Rodríguez Martín
Data Protection Consultant at PONS IP

Do you want to know more?