Spanish Data Protection Agency (SDPA) clarifies the content of Cookies Policies


The Spanish Data Protection Agency (SDPA) has recently published a Report which, as well as clarifying that the term "Cookie" covers all mechanisms that allow storage and recovery of data from users' devices, spells out which information on cookies must be provided in the Cookie Policy (or second layer in the Two Layer Information System*).

Following the lines of prior reports, the SDPA recommends editors use the Two Layer Information System in order to fulfil their legalobligation to (i) inform Users, and (ii) to obtain their consent.

Regarding Cookie Policies (Layer 2), editors must clearly state the name, purpose, use and ownership of the cookies and identify all third parties who have access to the data; however, in order to provide said information, the SDPA clarifies that an extensive table providing the name of each cookie is recommendable but not necessary and that group references of cookies (i.e. groups of cookies with the same functions) are permissible as long as the type of cookie, purpose, use and owners are clearly identified and are not ambiguous.

Moreover, using links to third party websites in order to provide said information is admissible as long as the editor of the website ensures that the links (i) work properly, (ii) provide up to date information and (iii) that the information provided through the linked website is in Spanish (or, alternatively, in Catalan, Galician or Basque, if the website is in one of these co-official languages). The SDPA specifically points out that information in English or any other language would not be admissible to meet the legal duty to provide users with clear information.  

To see the full text of the Report (only available in Spanish), please click here.