Cookies and other similar technologies are tools used by website servers to store and retrieve information about their visitors, as well as to ensure the proper functioning of the site. The information collected by cookies may include personal data, but it can also contain non-personal data. Cookies can be classified according to the following criteria:

• According to their purpose.

  • Technical and Functional Cookies (Necessary): These are cookies that allow users to navigate through a website, platform, or application and use the different options or services available on them.

  • Analytical Cookies (Statistics): These are cookies that allow the owner to track and analyze the behavior of users on the linked websites. The information collected through these cookies is used to measure the activity of the websites, applications, or platforms and to create user browsing profiles. This data analysis is used to improve the services based on user usage data.

  • Advertising Cookies (Marketing): These are cookies that enable the most efficient management of advertising spaces included by the publisher on a website, application, or platform while providing the requested service. The management is based on criteria such as the edited content or the frequency of displaying ads.

  • Behavioral Advertising Cookies: These cookies collect information about the user's preferences and personal choices (retargeting) to enable the most efficient management of advertising spaces included by the publisher on a website, application, or platform while providing the requested service.

  • Social Cookies: These are set by social media platforms on services to allow users to share content with their friends and networks. Social media platforms have the ability to track your online activity outside the services, which may affect the content and messages you see on other visited services.

  • Affiliate Cookies: These cookies enable tracking visits from other websites with which the website has an affiliate contract (affiliate companies).

  • Security Cookies: These store encrypted information to prevent the data stored in them from being vulnerable to malicious attacks by third parties.

• According to ownership.

  • First-party cookies: These are cookies that are sent to the user's terminal equipment from a computer or domain managed by the website publisher who provides the requested service to the user.

  • Third-party cookies: These are cookies that are sent to the user's terminal equipment from a computer or domain that is not managed by the website publisher, but by another entity that processes the data obtained through the cookies.

• According to the storage period.

  • Session cookies: These are cookies designed to collect and store data while the user accesses a website.

  • Persistent cookies: These are cookies in which the data remains stored on the device and can be accessed and processed for a defined period determined by the cookie's controller, which can range from a few minutes to several years.

The LSSICE (Spanish Law on Information Society Services and Electronic Commerce) has established in Article 22 that service providers can use storage and retrieval devices, such as cookies, on users' terminal equipment once they have given their consent regarding the purposes of data processing.

Similarly, Directive 2002/58/EC has stipulated that the storage of information or access to information already stored on a user's terminal equipment is only allowed if the user has given consent after being provided with clear and comprehensive information about the purposes of data processing.

Both the LSSICE and Directive 2002/58/EC generally require user consent for the use of cookies. This consent must be obtained in accordance with the conditions set out by the GDPR, as mentioned earlier.

As an exception to the above, both regulations authorize the storage or access to technical information solely for the purpose of transmitting a communication over an electronic communications network or to the extent strictly necessary for a service provider of an information society service to provide a service explicitly requested by the user. This means that consent is not required for the use of technical or functional cookies.

To comply with these requirements, the Spanish Data Protection Agency (AEPD) recommended the use of a layered information system to users through its Guide on the Use of Cookies, published in July 2020. This would involve using a mechanism to obtain consent through a banner that appears for the first time when the user accesses the website, with a size that allows for perceptibility.

This banner should allow the maintenance of the default settings and, at the same time, allow for the possible expression of a positive action on which the user's consent for the installation of cookies on their device is based.

Maintaining the default settings should always result in the refusal of consent for the placement of cookies and the use of only technical or functional cookies.

This banner should include at least the following indications and options:

• Notice that closing the banner implies the continuation of the default configuration.

• Minimum information about the use of cookies or other technical tools on the site and the possibility, only after obtaining the user's consent, of using other cookies as well.

• Link to detailed information in a second layer.

• A command through which the user can express their consent by accepting the placement of the remaining cookies

Additionally, users should be able to modify their choices immediately and intuitively through a special area that can be accessed.

Cookies should be able to be authorized separately without excessive granularity. The AEPD suggests a selection of cookies by purpose.