The guidelines cover the problems encountered with cookies and they explain certain current controversial issues, mainly due to the implementation of the existing law on data protection and the LSSI (Law 34/2002, dated the 11th of July, on information society services and electronic commerce). In particular, it focuses on the transparency and information obligations and on obtaining the specific consent of the user.
Accordingly, cookies that process the personal data of users or help identify them are subject to the information obligation and must obtain the users’ consent.
However, the AEPD has compiled a list of cookies in which the aforesaid consent is not required, such as, for example, the cookies that are used for: user authentication or identification (session cookies), the security of the user, media player, etc.
Therefore the cookies that are used by the websites must be checked and more importantly, what they are actually used for must be reviewed in order to determine whether the specific consent of the users is indeed required to comply with the guidelines that the AEPD will use, where appropriate, to penalize.