New guidance on analytic cookies in Spain – is consent always required? – Technologist

The Guidance starts by clarifying how the information processed via cookies (or similar technologies) for the use of traffic or performance statistics may be managed directly by the editor or by a supplier providing an audience benchmarking service (as a processor).

Then, the Guidance gets to the point: cookies used for the purpose of obtaining traffic or performance statistics can be exempted from consent under certain conditions. Specifically, (i) they have to be strictly limited to the exclusive measurement of the audience of the site or application on which they are used; and (ii) the processing must be carried out exclusively on behalf of the editor and used to produce anonymous statistical data only.

These cookies must not result in data being matched with other processing operations, nor in data being transmitted to third parties, and they may not allow aggregate tracking of the navigation of a person using different apps or browsing different websites. Therefore, using the same identifier (i.e. cookie ID) on several sites to cross-reference, duplicate or measure a unified reach rate of a piece of content is excluded. The reuse of data for other purposes (as is the case of several audience measurement tools available on the market) is also excluded.

The Guidance concludes by listing the cases in which consent is not required:

  • Page-by-page audience measurement;

  • The list of pages from which a link has been followed to request the current page (sometimes called a “referrer”), whether internal or external to the site, by page and aggregated daily;

  • Determination of visitors’ device type, browser and screen size, by page and aggregated daily;

  • Page load time statistics, per page and aggregated hourly;

  • Statistics on time spent per page, bounce rate, scroll depth, per page and aggregated daily;

  • Statistics on user actions (clicks, selections), per page and aggregated daily; and

  • Statistics on the geographic area of origin of the requests, by page and aggregated daily.

The Guidance also provides for minimum guarantees editors (and providers) must implement regarding consent-exempted cookies for audience measurement. These include:

  • Users shall be informed about the use of such cookies, for example, through the privacy policy of the website or the mobile application.

  • The lifetime of these cookies or similar technologies should be limited to a period that allows for meaningful comparison of audiences over time (the SDPA tentatively proposes a period of 13 months), and which will not be automatically extended by new visits. Moreover, it is indicated that information collected by these cookies cannot be retained after 25 months.

Both such periods shall be reviewed periodically in order to be limited to what is strictly necessary.

  • Providers offering measurement services to several publishers must provide appropriate guaranties to the latter that: (i) the data is processed independently for each publisher; and (ii) the cookies or similar technologies used are completely independent of each other and of any other cookies or similar technologies.

  • The data processing agreements in place between editors and providers must include specific safeguards (e.g., prohibition of data reutilization, assurances in case of multiple editors, etc.).

  • Editor, when relying on a provider, shall perform and document an assessment on whether the tools provided by the latter can be and are configured to ensure compliance with the requirements listed in the Guidance.

The proposed exception by the SDPA shares many similarities, in its scope and conditions of application, with the consent exception for the use of analytical cookies introduced by the CNIL and analysed in more detail here.

 

Authored by Santiago de Ampuero, Clara Lázaro and Joanna Rozanska.

Add a Comment

Your email address will not be published. Required fields are marked *