Thinking about Spain, data privacy might not be the first thing that comes to mind. But there’s plenty to learn beyond delicious food, sunshine, and sangria if you want to do business the right way and handle Spanish consumers’ data.
In July 2023 the Spanish Data Protection Agency (AEPD) updated its requirements on cookie consent banners in line with new directives issued by the European Data Protection Board. These new requirements are enforced since January 11, 2024, and apply to any website with traffic coming from Spain.
This article covers the most recent changes in Spain's data privacy laws, what they mean for businesses, and how to ensure compliance.
The context surrounding cookie consent law in Spain
Under the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and the AEPD, penalties can reach up to 30,000€ for non-compliance. Some of the fines have included Twitter, Innova Resort, and Petrolis Independents, for using cookies but failing to inform their users correctly.
Since then, the AEPD has updated its requirements on cookie consent banners in line with new directives issued by the European Data Protection Board. New requirements were announced in July 2023, and enforcement is set to start on January 11, 2024, applying to any website with traffic coming from Spain.
Let’s take a closer look.
How to comply with Spain’s new data privacy requirement
Here are the main elements to keep in mind ahead of January 2024:
1st layer of the consent banner
The information provided on the first layer of the consent banner must include:
The name of the publisher of the website
The purposes of processing cookies
Information indicating whether the cookies belong to the publisher or to third parties
Generic information on the type of data that will be collected and used when creating user profiles,
Essentially, the first layer of the consent banner must show:
A button or equivalent mechanism, easily visible, with the words "Accept cookies," "Accept," "Consent," or similar.
2nd layer of the consent banner
A control panel or settings panel can be included in the second layer of the banner. That panel must clearly indicate how to save the selection made by the user. For example, a button with the text "Save selection," "Save configuration" or equivalent.
Under no circumstances may pre-marked options be accepted in favor of the acceptance of cookies to obtain valid consent.
The degree of granularity when displaying the selection of cookies must be assessed by the site publisher, although it is advisable to take into account the following rules:
Cookies should be grouped at least according to their purpose so that the user can accept cookies for one or more purposes
Within each purpose, and at the site editor's discretion, cookies may also be grouped according to the third-party responsible for them (for example, the user could choose to accept cookies from one third party and not from another)
In the case of third-party cookies, all you have to do is identify them by their name or by the brand name with which they are identified to the public
Methods for obtaining consent
As a reminder, the following points must be followed when collecting consent:
A clear indication must be provided of whether consent is given solely for the web page on which it is requested or others, including other web pages of the same publisher or third parties associated with the publisher.
The option of refusing cookies must be offered to the user at the same time, at the same level, with the same visibility as the option to accept them, and the mechanism used (button or other) must be similar, without sending them to another layer or to another location to carry out this action.
Under no circumstances shall the mere inactivity imply the provision of consent by the user.
Consent must be given by clear positive action
Duration of cookies
Use of cookie walls
Please note that the services of the two alternatives must be truly equivalent and that the equivalent service cannot be offered by an entity other than the publisher.
The criteria included in the Guidelines must be implemented by 11 January 2024 at the latest.
Going further: Want to learn more about the impact of different types of banners on your consent rate, read insights about cookie walls, and get exclusive data on the state of consent collection in Europe? Check out our 2023 data privacy benchmark whitepaper (no email required):
How can Didomi help ensure compliance with Spanish data privacy regulation
The team at Didomi is dedicated to helping organizations implement great Privacy UX practices, starting with ensuring compliance with global data privacy regulations.
For website publishers with traffic coming from Spain, it all starts by implementing a Consent Management Platform (CMP), which will help collect, store, and leverage consent in a compliant manner. Managing compliance with the new data privacy requirements in Spain is a seamless process in the Didomi Console, where users are able to easily add a disagree option to their banner, update its appearance to reflect guidance from the AEPD, and more.
Get in touch with our team to discuss your privacy challenges and find out how to get ready for the upcoming Spanish deadline:
Frequently Asked Questions (FAQ)
What recent changes have been made to Spain’s cookie laws?
The Spanish Data Protection Agency (AEPD) updated its requirements on cookie consent banners in July 2023 to align with new directives from the European Data Protection Board. These requirements are enforced since January 11, 2024, and apply to all websites with traffic from Spain.
What is the main change in the cookie consent requirements?
The most significant change in the updated guidelines is related to consent. Namely, websites must add a mandatory reject button on the first layer of their consent banner.
Are there exceptions to the Spanish cookie consent law?
Yes, there are exceptions. Consent is not mandatory for cookies for authentication, online shopping carts, user interface personalization, and social media sharing plugins (only for users with social media accounts).
What are the requirements for a compliant cookie consent banner in Spain?
A compliant cookie consent banner in Spain should obtain GDPR-valid consent separately from acceptance of other terms and conditions. It should provide transparent information about the cookies used, including their type and purpose, and the identity of the third party they are shared with, in clear and concise language. The banner should also facilitate easy withdrawal of consent.
What information should the first layer of a consent banner include?
How should consent be obtained for minors under 14 years old?
Websites should verify that consent for data collection from children under 14 has been given by a parent or guardian. This might involve asking for the user’s date of birth, and if they are under 14, triggering an extra consent level that a parent or guardian must approve.
What happens if websites do not comply with the Spanish cookie laws?
Websites that fail to comply with the Spanish cookie consent regulations may face penalties imposed by the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and the AEPD, with fines reaching up to 30,000€.