If I do not use any external script that can create cookies such as Google analytics, facebook or twitter buttons or anything similar and the only cookie that can be generated is the one used by PHP for session control.
- Is it necessary to define a cookie policy?
- If so: Is it necessary for the user to accept the cookie policy?
I understand that it is more of a legal issue than a programming issue, but since I am sure that many programmers do not have legal advice to resolve this type of issue, it would be good for us to lend a hand through these forums.
In the case of using only session cookies, it is not necessary to define an acceptance policy for them. You can currently find all the information on the website of the Spanish Agency for Data Protection (AEPD) , and more specifically in the Guide on the use of cookies , provided by the agency itself.
In section 1 (Scope of the standards) of section II of this guide, it is quoted verbatim:
You can also find this same information on the European Commission website .
December 2018 Update: Due to changes on the website of the Spanish Data Protection Agency (AEPD), the document I refer to in the response is no longer accessible through that link. You can find the guide here .