A few months ago we published an entry in the blog about the Spanish Law of Cookies and how to comply with it under the title Does your website comply with the Spanish cookie law? and we left some answers pending of the final outcome on the first disciplinary proceedings in this regard in Spain as it was essential to know what the line of action taken by the Administration would be as to the interpretation of the law enforcement and sanctions to be applied.
There is already a resolution and there are some interesting things to consider in it:
FIRST.- The companies penalised were not large companies with a high volume of internet traffic or income, but small jewelry companies. Therefore, it seems that the Spanish Data Protection Agency is adding a word of warning that strict compliance is required and expected from everyone.
SECOND.- The Agency is strict with regard to compliance with the duty of information on the terms contained in the law.
The most common way of displaying the info is in two layers (a basic first and a second more complete) and there is a duty to report the following:
* To warn on use of cookies
* To identify their purpose and if they are own or third party cookies
* To alert that any further action from the user will imply acceptance (if that is the case)
* To insert a link to a second layer which must include the following information:
- General definition and function of cookies
- List of all cookies used in the website and their purpose
- How to disable or delete cookies set forth, either by using the tools provided by the editor of the page, or those given by the most commonly used browsers, or common platforms that might exist, as well as how to revoke the consent previously given
- Identification of who uses the cookies to be installed
Therefore, any information provided that is not clear enough, does not use simple language and is not located in a prominent and conspicuous location, or that does not include all the information required, may be sanctioned by the Administration.
THIRD.- Penalties finally imposed for 3.000 Euros and 500 Euros are not too high, considering that the minimum penalties under the law could reach 30.000 Euros. The Agency explained their decision because those acts were unintentional and did not generate a proven benefit or an increase in turnover for the companies concerned. Other aspects to take into account when assessing the amount of the penalties are the duration of the infringement, the damage or prejudice caused or the recidivism.
FOURTH.- Perhaps the most shocking part, as indicated by Pablo F. Burgueño, attorney of the sanctioned companies and a specialist in this field, is that the Agency waives to sanction the installation of cookies prior to the issuing of the user consent which clearly was what caused most of the problems for the implementation of this law. The resolution at this point reads:
“It has also been proved that the use of cookies by the aforementioned entities is performed without any informed consent referred to the Article 22.2 of the LSSI, although the violation of this requirement prior to installation cookie is not punishable under the wording of Article 38.4.g). Keep in mind that administratively sanctioning governing principles of legality and criminality contained in Articles 127 and 129 of the Act 30/1999, of 26 November, on the Legal Regime of Public Administrations and Common Administrative Procedure, which require restriction to the literal meaning of the provision and the definition provided with respect thereto, without in any way fit to carry out a broad interpretation. Therefore, you cannot be punished for a conduct that is not covered in the penalty rate fixed in the article 38.4.g) LSSI, since this provision refers to establishing a rejection procedure of data processing.”
It is not understandable, since Article 38.4.g) considers to be a minor infringement “the failure in the information and notification requirements or establishing a rejection procedure of data processing, set out in paragraph 2 of Article 22, when does not constitute a serious offense.”
And the said article 22.2 reads: “Service providers can use storage devices and data recovery in the recipients terminal equipment, provided that they (the recipients) have given their consent after they (the service providers) have provided them with clear and comprehensive information on use… “.
That is to say that not seeking the consent to the installation of cookies prior to the same would also be a breach of Article 22.2 and not just that the information provided was not clear and comprehensive enough, so the interpretation of the agency is somewhat strange, since they miss part of Article 38.4.g).
Conclusions:
– All companies, regardless of their size and the number of visitors to their sites, are required to provide information in a complete, simple and clear way on those non-exempt cookies that they intend to install in the user’s terminal.
– A website may choose not to use any self or third party cookies and thus it will not have to comply with this information requirement.
– It seems that the Agency has, for the time being, no intention to punish the infringements severely.
– The interpretation of the Agency that the breach of the obligation to inform prior to the installation of the cookies is not punishable facilitates solutions for those who wish to use them on their pages, as the technical, aesthetical and performance difficulties to lock the cookies before receiving user consent cease to be an issue, given the lack of sanction.
Therefore, from now on it seems that we just have to worry that all the required information reaches the user, not that it arrives before the cookies are installed and the user accepts the installation thereof.
Luis M. Vicente Burgos
VICENTE & OTAOLAURRUCHI ABOGADOS
