Cookies law, is its application necessary?


News on cybersecurity, data protection and software solutions.

Cookies law, is its application necessary?

2 Jan, 17

Compulsory European cookie law

The origin of the commonly known cookie law has its origin in 2009, where the European Union published the Directive 2009/136 / EC , in which the following text can be read at point number 66:

cookie law promoted by the European economic community
There may be third parties who wish to store information about a user’s equipment or access information already stored, for different purposes, ranging from legitimate purposes (such as some types of cookies) to those that involve an unjustified intrusion into the private sphere ( such as spyware or viruses). It is therefore essential that users receive clear and complete information when they carry out an action that may lead to such storage or obtaining access. The way in which the information is provided and the right of refusal is offered must be as simple as possible for the user. The exceptions to the obligation to provide information and propose the right of refusal must be limited to those situations in which technical storage or access is strictly necessary for the legitimate purpose of allowing the use of a specific service specifically requested by the subscriber or user. . When technically possible and effective, in accordance with the relevant provisions of Directive 95/46 / EC, the user’s consent to accept the processing of data can be facilitated by using the appropriate parameters of the browser or other application. The application of these requirements should become more effective thanks to the strengthened powers granted to the national authorities.

The Spanish state, in the Royal Decree 13/2012 modified the Article 22.2 of the Law of the Information Services Society (LSSICE) adapting to the European directive, leaving the text as follows:
Service providers may use data storage and retrieval devices in terminal equipment of recipients, on condition of that they have given their consent after that they have been provided with clear and complete information on its use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13, on the Protection of Personal Data .

When it is technically possible and effective, the consent of the recipient to accept the treatment of the data may be provided by using the appropriate parameters of the browser or other applications, provided that the recipient must proceed with its configuration during its installation or update through an action. express to that effect.

The foregoing shall not prevent the possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over an electronic communications network or, insofar as it is strictly necessary, for the provision of an information society service. expressly requested by the recipient.

What is a cookie

Many will say: Yes, it is very good that you protect me with the cookie law of these data elements, but really, what are they and what dangers do they entail?

We will explain in a simple way that a cookie has the format of a text file that is stored on our device used to browse the Internet, a mobile phone, a tablet, or a computer, among others. This text file can have multiple utilities, from saving preferences on how to display a certain website to access credentials. Per se a cookie is not dangerous , since it is a file that contains text.

The use that will be given to the cookies that it establishes, as well as the format and the data stored in them, remains in the hands of the website developer. Additionally, the security measures associated with the recorded data will also fall on the website developer. By delegating this point to the developer himself, we can find different examples of applied security, being able to leave part of the private information exposed.

Are you telling me that a website can expose my data? But exposed to everyone?
As a short answer , Do not. It is not possible that due to visiting a website, it has access to cookies from another website. An Internet browser cannot expose data from other websites.

As a long answer , are text files, and as such could be read by malicious third-party software. In the event that a spy program is installed on our computer equipment and attempts to access the place where our browser stores these cookies, the attacker could obtain these data. But in itself, this would have to be the least of our concerns if spyware were installed on our system. In our computer equipment we surely have more critical sensitive data to be read than in a simple browser cookie, where the developer will usually take measures to obfuscate important data.

Penalties for non-compliance

In this case we find ourselves with a curious situation, everything and the development of this cookie law for the protection of the data of users who use and / or access websites, the form that has been implemented, has caused the Internet to be filled with the different pop-up and / or information windows on the use of this technology. Browsers themselves already incorporate mechanisms that can be used to accept or deny certain cookies, but the general ignorance of the average user prompted the creation of this requirement.

As a website owner, the obligation to implement cookie notices cannot be circumvented. The penalties for non-compliance can be seen in the following table:

Mild Failure to comply with the information obligations or the establishment of a procedure for refusing data processing. Up to € 30,000
Serious The significant breach of the information obligations or the establishment of a procedure for the rejection of data processing. From € 30,001 to € 150,000


In August 2013, the Spanish Data Protection Agency issued the first exemplary sanction referring to a breach of the LSSICE. The increase in complaints and systematic non-compliance has led to an increase in inspection actions and sanctions, by the Spanish Data Protection Agency, the Secretary of State for Telecommunications, and other competent bodies and courts. We cannot ignore this requirement, although we may consider it trivial, given that the consequences can lead to significant economic losses.

Let's check if your business is cookie law compliant

Without any doubt: we study your website and confirm whether or not it is regulatory compliant. Non-binding consulting!


Submit a Comment

Your email address will not be published.


Related posts

More and more legal obligations for your company

More and more legal obligations for your company

Keeping your company's regulatory compliance under control is becoming increasingly complex, as in recent years there have been constant changes in the legal framework, both at state and European level: Personal data protection Obligation of preventive cybersecurity...