The Spanish Data Protection Agency (SDPA) has published brief guidance on the use of cookies (or similar technologies) as audience measurement tools (the “Guidance”). Within the framework of its guidance, the SDPA clarifies when consent is required pursuant to the Electronic Privacy Directive and establishes that consent is not always required.
This guidance describes how information processed through cookies (or similar technologies) for the use of traffic or performance statistics may be used by editors or by suppliers providing audience benchmarking services (as processors). It starts with clarifying what will be directly managed.
Then this guidance comes to the point. Cookies used for the purpose of obtaining traffic or performance statistics may be exempt from consent under certain conditions. Specifically, they (i) must be strictly limited to the exclusive measurement of the audience of the site or application on which they are used; (ii) the processing is carried out only on behalf of the editor and must only be used to generate anonymous statistical data;
These cookies must not match the data with other processing operations or transmit the data to third parties. We also cannot aggregate and track the navigation of people who use different apps or visit different websites. Therefore, the use of the same identifier (cookie ID) on multiple sites to cross-reference content, duplicate content, or measure uniform reach is excluded. Reuse of data for other purposes (as is the case with some commercially available audience measurement tools) is also excluded.
The guidance concludes by listing cases in which consent is not required.
-
Measuring the number of viewers per page.
-
A list of pages (sometimes called “referrers”) whose links you followed to request the current page, whether internal or external to your site. Calculated daily for each page.
-
We determine visitor device type, browser, and screen size on a page-by-page basis and aggregate them daily.
-
Page load time statistics aggregated by time per page.
-
Daily aggregated per-page statistics on time spent per page, bounce rate, and scroll depth.
-
Daily aggregated statistics on user actions (clicks, selections) per page.and
-
Per-page statistics about the geographic area from which requests originate. Calculated daily.
The guidance also sets out the minimum guarantees that editors (and providers) must implement regarding non-consent cookies for audience measurement. These include:
-
Users will be informed of the use of such cookies, including through the website or mobile application’s privacy policy.
-
The lifetime of these cookies or similar technologies should be limited to a period that allows for meaningful comparisons of audiences over time (SDPA has tentatively proposed a period of 13 months); It will not be automatically extended by new visits. Furthermore, it is indicated that the information collected by these cookies cannot be retained after 25 months.
Any such period shall be reviewed periodically to ensure that it is limited to the strictly necessary period.
-
Providers providing measurement services to multiple issuers must provide appropriate assurances to the latter that: (i) Data is processed independently for each issuer. (ii) the cookies or similar technologies used are completely independent from each other and from other cookies or similar technologies;
-
Data processing agreements concluded between editors and providers must include certain safeguards (such as prohibition of data reuse, guarantees in the case of multiple editors, etc.).
-
If the editor relies on a provider, the editor shall perform and document an assessment of whether the tools provided by the provider can and are configured to ensure compliance with the requirements set out in the guidance. will do.
The exception proposed by the SDPA shares many similarities in scope and conditions with the consent exception for the use of analytical cookies introduced by the CNIL and analyzed in more detail here.
[View source.]