The use of the cookies

Cookies’ Definition

After all these years, we still need to talk about the proper use of cookies in the Web page of your entity.

Primarily, let’s define the cookies, using the Glossary provided by ISACA.

“A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them“.

You can also check the definition provided by the Wikipedia here.

Cookie – Ft. IAPP

How to use them (correctly)

To explain the correct use cookies, we rely on the PS/00483/2021. The enforcement proceeding started by the Agencia Española de Protección de Datos (AEPD) against a Web page which content is meant for adults. Spoiler alert: 10K euros fine!

The interesting part starts at page 8, where the AEPD recalls the Opinion 4/2010 of the WG29, the ancestor of the current EDPB.

As an illustration, we have:

The ones used to fill in forms, or to manage a shopping cart
Others for user authentication or identification
Those used to detect erroneous attempts
The player session’s, along with the media player sessions’, for load balancing; user interface customization; and some plug-ins for
for sharing social content.

According with the mentioned Opinion, these little (and sometimes annoying) pieces of codes would be excluded from the scope of application of Article 22.2 of the LSSI. Therefore, in the mentioned cases, the explicit and informed consent will not be necessary.

For the sake of precision, the term “LSSI” means the Spanish law implementing the Directive 2000/31/CE.

In contrast, for all other cookies, you need to obtain and informed and explicit consent for from the Web user.

How to obtain the informed and explicit consent

The AEPD says that every Web page should use the so-called “two-layer approach“. What does it mean? To illustrate this concept, we will use a couple of screenshots of our own Web.

The Cookie’s First Layer

According to the mentioned enforcement proceeding, the first layer must include a generic identification of the purpose of the cookie. I must admit that I am not particular proud of the definition “relevant experience” but, believe me, the existent cookies are only the technical ones. If you would like to suggest a more precise definition for the purpose, feel free to send us an email. We always appreciate your feedback. In any case, the mention to “remembering your preferences” seems a little bit more accurate. Actually, it is the only purpose for which the necessary cookies are installed.

The Cookie’s Second Layer

Therefore, we follow the rules dictated by the AEPD. Specifically, we have a banner, clearly visible, linked to a second layer of information. Here, the user can access to the settings panel. Remember: the user does not have to navigate within the second layer to locate the settings.

We only have necessary cookies. But the fined Web mentioned by the GDPR had others that, well, didn’t fit well into the concept of explicit and informed consent.

Conclusions

If your Web site directly targets European customers, you better call your Privacy Manager in Europe. We are here to help you in getting reasonably compliant with the European legislation.