The amended law allows website operators to serve cookies provided individuals have given "consent", having been given clear and comprehensive information about why their personal data will be collected and processed.
Contrary to some reports, the amended law does not require "opt in" or "express" consent, and recognises the possibility of obtaining consent through appropriate browser or application settings. However, given Spain's longstanding history of vigorous data protection enforcement, website operators wishing to rely on "implied" consent solutions must provide robust transparency and choice.
Consent in Spain
Consent to data processing – whether express or implied – must always be freely given, unambiguous, specific and informed.
For historical reasons, Spanish data protection law allows personal data processing on an implied consent basis – requiring express consent only when the letter of the law explicitly mandates it. There is no legal reason why a similar approach should not also apply to cookie consent.
However, to rely on implied consent the website operator must be able to point to a demonstrable action or omission by the individual clearly indicating his or her wishes. This is because the interpretation of the 'specific' and 'unambiguous' consent requirements by the Spanish DPA and the Spanish courts has historically been highly restrictive, unsurprisingly leaning towards a preference for express consent.
So while no guidance has been published to date by the Spanish DPA on how to comply with the cookie consent rule, relevant precedents indicate that it will interpret the ability for website operators to rely on implied consent very restrictively.
Practical advice for website operators
Coming up with an implied consent strategy that both benefits from the fact that express consent is not required by law and takes into account the context described above therefore requires careful consideration and some degree of creative thinking. It must necessarily reflect the level of intrusiveness that the cookies served will have on individuals' expectations of privacy.
While the Spanish DPA will inevitably prefer opt-in approaches to consent, this is not required as a matter of Spanish law. Reliance on robust implied consent can suffice, in appropriate contexts, provided the website operator displays a prominent notice demonstrably visible to all visitors that:
(b) makes readily available easy-to-use, granular controls allowing visitors to accept or reject cookies as they please (e.g. cookie "on/off" switches); and
(c) critically, contains language explaining to visitors that their action or omission will indicate "acceptance" of cookies – for example, that by dismissing the cookie notice without changing cookie settings, individuals will accept the cookies the website operator serves.
In a perfect world, this notice would of course be given to the individual prior to the processing – for example, through a pop-up before cookies are served. However, Spanish data protection law does envisage the possibility of temporary processing prior to obtaining consent from the individual under certain circumstances – suggesting that, with sufficient transparency and control, a cookie notice and controls may be served contemporaneously with the cookies themselves.
To opt-in or not to opt-in, that is the question!
The position in Spain is therefore no different to that in many other territories – a regulatory preference for express opt-in consent, but with the possibility that lawful implied consent approaches can be adopted. The challenge for website operators is to design notices and controls that obtain freely given, unambiguous, specific and informed consent on an implied basis – a high threshold, certainly, but one that can be met with careful thought and design.