Cookie is a file that is downloaded to your computer when you access certain web pages. Cookies allow a web page, among other things, to store and retrieve information about the browsing habits of a user or their equipment and, depending on the information they contain and the way they use their equipment, they can be used to recognize to user. The user's browser memorizes cookies on the hard disk only during the current session occupying a minimum memory space and not harming the computer. Cookies do not contain any kind of specific personal information, and most of them are deleted from the hard drive at the end of the browser session (the so-called session cookies).
Most browsers accept cookies as standard and, independently of them, allow or prevent temporary or stored cookies in security settings.
Without your express consent - by activating the cookies in your browser - the web page you have just accessed will not link in the cookies the data stored with your personal data provided at the time of registration or purchase.
What types of cookies does this website use?
– Technical cookies: Are those that allow the user to navigate through a web page, platform or application and the use of different options or services that exist in it, for example, control traffic and data communication, identify the session, access restricted access parts, remember the elements that make up a navigation, make the registration request.
You can allow, block or delete the cookies installed on your computer by configuring the browser options installed on your computer:
Guarantee of compliance with the law
For more information about cookies and their use read the following text:
1. Scope of the rules.
The second section of article 22 of the LSSI establishes:
2.Service providers may use data storage and retrieval devices in terminal equipment of recipients, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13, on the Protection of Personal Data.
When technically possible and effective, the consent of the recipient to accept the processing of the data may be facilitated by using the appropriate parameters of the browser or other applications, provided that it must proceed to its configuration during installation or update through an action Express for that purpose.
The foregoing shall not prevent the possible storage or access of a technical nature solely for the purpose of transmitting a communication over an electronic communications network or, to the extent strictly necessary, for the provision of a service of the information society. expressly requested by the recipient.
Consequently, the information in this text will be useful to those cases to which the second section of Article 22 of the LSSI is applicable, in accordance with the provisions of Chapter II of the LSSI itself entitled “Scope of application”
In particular, it should be specified that, in accordance with the precept transcribed,
it applies to any “storage and retrieval devices of data “in any” terminal equipment of the recipients “and that the Annex of the aforementioned LSSI defines as” Recipient of the service or recipient “the” natural or legal person who uses, whether or not for professional reasons, a service of the society of Information”.
Thus, article 22 of the LSSI and the present text refer to the installation of cookies and similar technologies used (such as local shared objects or flash cookies, etc.) to store and retrieve data from a terminal equipment (for example, a computer, a mobile phone or a tablet) of a natural or legal person who uses, whether or not for professional reasons, a service of the information society.
In any case we allow ourselves to remember that when the installation and / or use of a cookie entails the processing of personal data, those responsible for such treatment must ensure compliance with the additional requirements established by the regulations on protection of personal data, in particular in relationship with specially protected data.
Likewise, it is convenient to remember the need to adopt additional precautions in this area in relation to minors.
Finally, in order to determine the scope of the regulations and this text it is necessary to point out that the cookies used for any of the following purposes are exempt from compliance with the obligations established in article 22.2 of the LSSI:
• Allow only communication between the user's equipment and the network.
• Strictly provide a service expressly requested by the user.
In this sense, the Working Group of Article 29 in its Opinion 4/2012 has interpreted that among the excepted cookies are those that have the purpose:
• Cookies «user input».
• Authentication or user identification cookies (session only).
• User's safety cookies.
• Multimedia player session cookies.
• Session cookies to balance the load.
• Customization cookies for the user interface.
• Complement cookies (plug-in) to exchange social content.
Therefore, it can be understood that these cookies are excluded from the scope of application of article 22.2 of the LSSI, and therefore, it would not be necessary to inform or obtain the consent
about its use. On the contrary, it will be necessary to inform and obtain the consent for the installation and use of any other type of cookies, both first and third, session or persistent, being subject to the scope of application of article 22.2 of the LSSI and, on which the orientations of this text will be useful.
The aforementioned opinion indicates that in order for a cookie to be exempt from the duty of informed consent, its expiration must be related to its purpose. Because of this, session cookies are much more likely to be considered as persistent than persistent cookies.
In any case, it must be taken into account that the same cookie can have more than one purpose, so there is the possibility that while for a purpose or treatment the cookie is exempt from the scope of application of article 22.2 of the LSSI, it is not is for other purposes, being subject to the scope of application of said precept.
For example, cookies used to detect erroneous and repeated attempts to connect to a website.
2. Terminology and definitions
For the purposes of this text it is useful to define a series of concepts in advance.
A. Intervening elements
The LSSI is applicable to any type of file or device that is downloaded to a user's terminal equipment for the purpose of storing data that can be updated and retrieved by the entity responsible for its installation.
The cookie is one of those devices widely used so, from now on, we will generically refer to these devices as cookies.
These files allow the storage in the user's terminal of data quantities ranging from a few kilobytes to several Megabytes.
Next, a classification of the cookies is made according to a series of categories. However, it is necessary to take into account that the same
Cookie can be included in more than one category.
1. Types of cookies according to the entity that manages them.
Depending on who is the entity that manages the equipment or domain from where it is
send cookies and treat the data obtained, we can distinguish:
– Own cookies: These are those that are sent to the user's terminal equipment from a computer or domain managed by the editor itself and from which the service requested by the user is provided.
– Third party cookies: These are those that are sent to the user's terminal equipment from a computer or domain that is not managed by the publisher, but by another entity that processes the data obtained through the cookies.
In the event that cookies are installed from a computer or domain managed by the publisher itself but the information collected through them is managed by a third party, they can not be considered as own cookies.
2. Types of cookies according to the period of time they remain activated.
According to the period of time that remain activated in the terminal equipment
we can distinguish:
– Session Cookies: They are a type of cookies designed to collect and store data while the user accesses a web page.
– Persistent cookies: They are a type of cookies in which the data is stored in the terminal and can be accessed and processed during a period defined by the person responsible for the cookie, which can range from a few minutes to several years.
3. Types of cookies according to their purpose.
Depending on the purpose for which the data obtained through cookies are processed, we can distinguish between:
– Technical cookies: Are those that allow the user to browse through a web page, platform or application and the use of different options or services that exist in it.
– Personalization cookies: These are those that allow the user to access the service with some predefined general characteristics based on a series of criteria in the terminal.
– Analysis Cookies: These are those that allow the person in charge of them to monitor and analyze the behavior of the users of the websites to which they are linked. The information collected through this type of cookies is used in the measurement of the activity of the websites, application or platform and for the elaboration of navigation profiles of the users of said sites, applications and platforms, in order to introduce improvements in function of the analysis of the data of use made by the users of the service.
In light of this definition we can observe the double role or function that an editor can develop.
It is the entity whose products, services or image are advertised through the advertising spaces that are available, where appropriate, the editors on their pages or other applications from which they provide services to users. In this sense, it acts as a plaintiff of advertising space.
Frequently, the editor also often acts as an advertiser. In these cases, the publisher acts as an advertiser from the moment in which to perform
advertising of the service provided to users uses the advertising spaces that other publishers make available.
ii. Advertising agencies and media agencies
They are entities that are responsible for the design and execution of advertising, as well as the creation, preparation or programming of advertising campaigns of advertisers, acting on behalf of and on behalf of these in the contracting of advertising spaces. In this sense, it is also You can consider them as plaintiffs of advertising space for advertisers.
iii. Advertising networks
The purpose of the work of these entities is to carry out, in the best possible way, the management of the inventory of advertising spaces, whose ownership corresponds to the publishers, in a way that converges with the demand of the advertisers.
It is the publisher who decides whether all or part of the inventory, which is available, is managed by an entity exclusively or by several entities simultaneously based on the criteria established.
This type of entities usually make an aggregation of the offer of the advertising spaces and the inventories of several publishers.
Some of these entities collect, through the cookies they manage, information on the browsing habits of users who access the services or pages offered by any of the publishers they represent.
The data is collected with the purpose that the dissemination of advertising pieces of the advertisers is as efficient as possible. For this, they analyze the habits of the users in
Internet in order to offer the most appropriate advertising to the interests associated with your browsing profile.
This type of entities act on the supply side, as bidders of spaces, in the name and representation, directly or indirectly of one or several publishers.
To carry out the management of these advertising spaces in the most efficient way possible, different types of equipment, technologies, programs or management applications are used, such as adServers, adExchanges, etc. that deal with adServer (Ad Server):
Adservers are programs or management platforms used to manage the publisher's ad inventory. For this, third-party cookies are usually used, so that these cookies are sent to the user's terminal equipment, not real time, so that advertising pieces of the advertisers are included in the publishers' advertising spaces automatically, function of the criteria that are established in each case.
Finally, it is also necessary to point out that this management work is often subcontracted totally or partially to other companies specialized in the development of the necessary actions for the management of advertising spaces.
iv. Analysis and measurement companies.
Generally for the provision of this type of services are used what are called 'third-party cookies', ie, cookies that are sent to the user's terminal equipment not from a computer or domain managed and controlled by the publisher but from a computer or domain managed by the entity that performs the analysis of the data.
Given the multiplicity of intervening entities, it will be up to each of them to analyze the work they carry out to position themselves in one or another role in order to determine the responsibility they incur and to comply with the obligations established in the regulations and developed in this guide.
Obligations of the parties.
The legal obligations imposed by the regulations are two, namely: the duty of information and the obtaining of consent.
Prior to the study by the entities involved in the most appropriate solutions to comply with the aforementioned obligations (according to the nature of their activity, the business model they develop and the scope of their responsibility), it is recommended that they carry out a review of the cookies that are used, either internally or with the advice of associations or specialized entities. This review will be from a domain managed and controlled by the editor itself, but from one managed by the adserver. adExchange (Ad Exchange): Computer system that allows automated auctioning of advertising spaces by publishers that advertisers and other authorized agents request. The auction is done in real time using the criteria established by both parties so the participating entities do not know, until it is shown, what will be the advertising that will be displayed in a space auctioned through this infrastructure.
In this context, it must be specifically assessed if the installation of persistent cookies is necessary since the risks to privacy could be reduced by the use of session cookies. In any case, when persistent cookies are installed, their temporary duration must be reduced to the minimum necessary, depending on the purpose of their use.
In any case, we remind the convenience that the solutions that are implemented to comply with the obligations of art.22.2 LSSI must be technologically neutral and, therefore, must be solutions that most browsers recognize.
A. Duty of information.
i. What information should be provided.
The second section of Article 22 of the LSSI establishes that users should be provided with clear and complete information on the use of data storage and retrieval devices and, in particular, on the purposes of processing the data, in accordance with the provisions of Organic Law 15/1999, of December 13, on the protection of personal data.
Therefore, the information on the cookies provided at the time of requesting consent must be sufficiently complete to allow users to understand the purpose for which they were installed and to know the uses that will be given to them.
In addition to providing the necessary information so that users can provide, at the required time, a valid consent, it is advisable that the aforementioned information, and in particular that relating to the form through which they can manage the cookies, be at their available in an accessible and permanent way at all times through the website from which the service is provided.
ii. How that information should be displayed.
The Working Group of Article 29 has established in its Opinion 15/2011, with the objective of guaranteeing adequate information, two requirements that affect, on the one hand, the quality of the information and, on the other hand, the accessibility and visibility Of the same.
First, in relation to the quality of the information provided, it is recommended:
– Take into account the type of average user to which that web page is directed and adapt the language and content of the messages to their technical level. The lower the technical level of the average user of that web page, the easier it must be to use the language (avoiding technical terminology that is not very comprehensible) and the more complete the information that is offered, based on the most basic aspects of what cookies are and how they work.
In any case, this lower technical level should not be an obstacle for the information provided to be as clear as possible, avoiding overloading the information with unnecessary details that make it cumbersome to read.
On the contrary, if the users to whom the website is directed enjoy a high level of knowledge about the Internet, it may not be necessary to provide basic information about what cookies are and how they work, although they must include information in any case detailed information about what type of cookies are used on that page and for what purposes.
At the present time, it should be assumed that the level of knowledge of users about cookies and their management is very limited.
– Take into account the design and mechanics of the website. The better the information that is offered about cookies fits with the rest of the contents of the website and its operating mechanics, the more likely it is that this information will be read by users.
Second, in relation to the accessibility and visibility of the information on cookies can be enhanced in the following ways:
– Through the format of the link: For example, increasing the size of the link to the information or using a different source that distinguish that link from the normal text of the web page and other links.
– Through the positioning of the link: The location of the link in areas that attract the attention of users can help ensure accessibility and visibility.
– Through other techniques that help highlight the importance of this informative link, such as framing or underlining the link, displaying a warning when the mouse pointer passes over the link or using an image or icon that can be clicked and that encourages you to look for more information.
“Informing users and obtaining their consent is not something new on the Internet. Most websites know which methods to use to attract users attention to the information they wish to highlight, such as in the case of promotions, offers or satisfaction surveys, and to obtain the consent of their users, even if in other contexts (changes in the terms and conditions of use, confirmation of purchases or verifications of minimum age required).
The way in which the consent of users is reported and obtained should take advantage of the experience gained through these methods.
In any case, mandatory information may be offered through multiple systems. As we will see later, generally with these means not only the necessary information will be provided, but also the user's consent for the installation of the devices can be requested.
Among the most common methods we highlight:
a. The supply of information through a header bar or in the footer, in a sufficiently visible manner.
In case it is necessary to obtain the consent for the installation of the cookies by already registered users (that is to say, they are already registered in the service) they will have to be informed in a verifiable way about the changes made in relation to the treatment of the cookies and that in case they continue using the service it will be understood that they consent to the installation of the same.
In both cases, it will also be possible to provide the information and obtain the consent through conventional means (off-line), as long as there is proof that the users have been informed individually and have provided their consent.
The information by layers.
This system consists in showing the essential information in a first layer, when the page or application is accessed, and completing it in a second layer through a page in which additional information about the cookies is offered.
1. The following information would be included in the first layer:
• Warning of the use of non-excepted cookies that are installed when browsing this page or when using the service requested.
• Identification of the purposes of the cookies that are installed.
• A link to a second information layer in which more detailed information is included.
This information will be provided through a format that is visible to the user and must be maintained until the user performs the action required to obtain consent.
We use our own and third-party cookies to improve our services and show you advertising related to your preferences by analyzing your browsing habits. If you go on surfing, we will consider you accepting its use.
You can change the settings or get more information here.
As you can see, this example offers information about the use by the editor and third parties of analytical and behavioral advertising cookies.
The cookies used should be analyzed in order to adapt the information to each particular situation.
2. The following information would be included in the second layer:
• Definition and function of cookies
What are cookies? A cookie is a file that is downloaded to your computer when you access certain web pages. Cookies allow a web page, among other things, to store and retrieve information about the browsing habits of a user or their equipment and, depending on the information they contain and the way they use their equipment, they can be used to recognize to user.
• Information through a table or list about the type of cookies used by the website and its purpose.
What types of cookies does this website use?
• Analysis cookies: those that are well treated by us or by third parties, allow us to quantify the number of users and thus perform the measurement and statistical analysis of the use made by users of the service offered. To do this, we analyze your browsing on our website in order to improve the offer of products or services we offer you.
• Advertising Cookies: These are those that, well treated by us or by third parties, allow us to manage in the most efficient way possible the offer of the advertising spaces that are on the website, adapting the content of the advertisement to the content of the requested service or to the use you make of our website. For this we can analyze your browsing habits on the Internet and we can show you advertising related to your browsing profile.
• Information on how to deactivate or eliminate the cookies listed through the functionalities provided by the editor, the tools provided by the browser or the terminal or through common platforms that may exist, for this purpose, as well as the form of revocation of consent already rendered.
You can allow, block or delete the cookies installed on your computer by configuring the browser options installed on your computer.
B. Obtaining consent.
i. Consent as the basis for compliance with regulations.
For the installation and use of non-excepted cookies it will be necessary in all cases to obtain the user's consent. This consent may be obtained through express formulas, such as by clicking on a section that indicates 'I consent,' 'I agree,' or other similar terms. It can also be obtained by inferring it from a certain action carried out by the user, in a context in which the latter has been provided with clear and accessible information about the purposes of the cookies and whether they are to be used by the same publisher and / or by
third parties, so that it is understood that the user accepts that cookies are installed. In any case the mere inactivity of the user does not imply the provision of consent by itself.
For this consent to be valid it will be necessary that the consent has been granted in an informed manner.
Therefore, it is necessary Consider.
1. That the modalities of providing consent may be varied.
Obtaining consent through a user's 'click' or similar behavior will undoubtedly facilitate proof that it has been obtained. This formula may be more appropriate for registered users.
The obtaining of the consent that is inferred from a behavior of the users is admissible, but it can present greater difficulties of proof on its obtaining. This will depend, fundamentally, on the clarity and accessibility of the information that has been offered to obtain them.
2. That the user must have made some kind of conscious action and
positive from which the user's consent can be inferred.
For example, it should be clearly informed in those cases in which the request by the user of a service is interpreted in turn as an expression of their agreement so that, in addition to providing the service, they can store or access the information on the user's device.
4. That the user, in any case, may refuse to accept cookies, even in those cases in which as a consequence of such a negative the functionality of the web page is limited or not possible.
ii. Who must give consent.
In accordance with section 2 of article 22 of the LSSI, consent must be given by the 'recipients' of the services of the society of the
In accordance with section d) of the Annex to the LSSI by 'Recipient of the service or recipient' should be understood 'the individual or legal entity that uses, whether or not for professional reasons, a service of the information society.' And according to the definitions made in the corresponding section, the term recipient coincides with the user, which is the one used in this guide.
iii. Modalities of obtaining consent
In this sense, it must be indicated if the consent is provided only for the web page in which it is being requested or if it is also provided for other web pages of the same publisher or even for third parties associated with the publisher within the framework of the purposes of the cookies about which information has been offered.
There are, among others, the following mechanisms for obtaining consent:
• During the process of configuring the operation of the web page or application (Settings-led consent)
Many web pages and mobile applications allow the user to configure the service, which can configure features such as language, font, background color, etc. Because of the specific characteristics of
applications, these also usually ask the user if they can access information from their terminal (such as agenda, to suggest friends, or photo album).
For this reason, another alternative form of consent for the installation of cookies can be configured during the process of election or specification by the
user of the features, leaving the consent integrated in the user's choice and remembering the chosen settings this one.
• At the moment when a new function offered on the website or application is requested (Feature-led consent)
In such cases, information may be provided about the cookies used at the moment in which the user must show his desire to use said function.
In the previous example, information could be provided next to the checkbox that the user must check to obtain the function (that the mail service remembers his account).
• Before the moment a service or application offered on the website is downloaded.
Another possibility of obtaining consent is before the time a service included in the website or in the application is downloaded (such as a video, image or game).
In such cases, if it is properly informed that the application for downloading such service or application involves the provision of consent for the installation of a specific cookie with specific purposes, and it carries out an action to perform the download of such service or application, you can interpret the user has given his consent for the installation of the corresponding cookie or cookies. When this cookie is provided by a third party, the user must be informed, providing information about the purposes of the third party's cookies, so that the user can make an informed decision.
It should be remembered that in the event that a web page offers audiovisual content, they are part of the service expressly requested by the user, being therefore exempt from the duty to require such consent to display such content.
• Through the information format by layers. In the layer information format that we indicated above, the first layer, which contains the essential information, must also include the consent request for the installation of the cookies.
(i) The user has used the scroll bar, as long as the information about the cookies is visible without making use of it;
(ii) The user has clicked on any link contained in the page.
The information that is offered in this first layer can be shown through a format that is visible to the user, such as a layer, a bar or through similar techniques or devices, taking into account that the location at the top of the page would better capture the attention of users.
In the terminals of reduced screen it will be possible to adapt the size and the content of first layer to the dimensions of the same one.
• Through the browser settings. Both the Privacy Directive and the LSSI suggest that the configuration of the browser could be one of the ways to obtain consent if it is used in a way that allows users to express their agreement with the installation of cookies in accordance with current legislation. and taking into account the findings of the Article 29 Working Group.
iv. When can cookies be installed?
Regarding the moment in which consent must be obtained for the installation of the cookie, it must be remembered that article 22 of the LSSI states that:
Service providers may use data storage and retrieval devices on terminal equipment of recipients, provided that they have given their consent after they have been provided with clear and complete information about their
use, in particular, for the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13, on the Protection of Personal Data.
Consequently, the installation of the cookie may take place when the user has the mandatory information about the cookies and the form of obtaining the consent and it is provided in accordance with the indicated procedures.
In this sense, the installation of the cookies should be accompanied by an informed consent of the users for such installation, so that the
recipients have the opportunity to examine the information and decide whether or not to allow the implementation of these devices.
The same publisher that provides different services through different domains
may through a single web page inform and obtain consent for the installation of cookies sent from other domains, which are owned and offer content or have similar characteristics, for the provision of the requested services by the user, provided that it is also informed of what was previously stated in the section on information, on which web pages or domains of ownership are to be installed from where the cookies will be installed, the type of cookies and the purposes for which that the consent of the user is processed and collected.
In the case that the pages through which an editor provides services offer contents or have characteristics that are not similar (for example: some of the pages contain content for adults), it will be necessary to adopt additional precautions.
As a general rule, whenever a consent has been obtained validly it is not necessary to obtain it every time a user visits the same web page from which the service is provided again.
In any case, it is clear that if the characteristics or purposes of using cookies change after having obtained the consent, it will be necessary to inform users about these changes and allow them to make a new decision about such activities.
In any case, the user may be informed of the consequences derived from the withdrawal of said consent, such as, for example, the impact that may have on the functionalities of the website.
viii. Possibility of denying access to the service in case of rejection of cookies.
There may be cases in which the non-acceptance of the installation of cookies prevents the total or partial use of the service, provided that it is reported
appropriately about the user.
However, access to the service can not be denied in case of rejection of cookies, in those cases in which such denial prevents the exercise of a legally recognized right to the user, since access to said website is the only means provided to the user. user to exercise such right. (Example, the withdrawal in a telephone service, Internet access or other).
The LSSI does not define who is responsible for complying with the obligation to provide information about cookies and obtain consent for their use.
Basically in the management of cookies and in the processing of the data obtained, the two situations described below are distinguished in
In those cases in which an editor offers users a service and all the
Cookies on its website are used exclusively for the purposes that it is not necessary to obtain the consent listed above, whether they are their own or that of third parties, it will not be necessary to report their use or obtain consent.
However, if you use third-party cookies to provide the service requested by the user, you must ensure contractually that these other entities or third parties do not treat the data for any other purpose than providing the service to the user, since in otherwise, it would be necessary to inform about these other purposes and obtain the consent.
In this case you can differentiate if they use first or third party cookies.
In the cases in which the publisher, through the use of its own cookies, treats the data for any purpose that is not exempt from the obligation to inform and obtain consent, it will be necessary to report on the purposes for which the data will be processed and Obtain the user's consent, through one of the forms established in this guide.
Likewise, when third-party cookies are used for any or some of the non-exempt purposes, both the publisher and the other entities involved in the management of the cookies will be responsible for ensuring that users are clearly informed about the cookies and purposes. for them to be treated and to obtain the required consent.
Generally, third-party cookies are downloaded to the user's terminal equipment because the editor, when designing the website, platform or application, envisaged the possibility of including third-party content that uses them or because it uses third-party software that requires them.
In any case, it must be borne in mind that in practice it is more difficult for entities that install third-party cookies, which do not have a direct relationship with the user, to achieve this, and that users will tend to send their concerns to the entity at the same time. that they can identify and with which they have a relationship, that is, the editor.
In this way, in such cases and in order to facilitate and ensure compliance with the obligations established in this area, when third-party cookies are installed, one or several contracts should be included in the contracts between the publishers and third parties. clauses in which it is ensured that the required information will be offered to the users and that the form through which a valid consent for the use of the cookies can be obtained will be articulated, as well as about the consequences of the revocation of the consent for the editor and, especially, for the third parties who obtained it through the editor.