Thinking about Spain, data privacy might not be the first thing that comes to mind. But there’s plenty to learn beyond delicious food, sunshine and sangria if you want to do business the right way and handle Spanish consumers’ data.
In this article, we go over the most recent changes in Spain's cookie laws, what they mean for businesses and how to ensure compliance. Keep on reading to learn more and get a clear picture of all the requirements for your organization.
Summary:
Cookie consent law in Spain
In July 2020, the Spanish Data Protection Authority (AEPD) provided an updated guide about the use of cookies, giving businesses a three-month time limit to comply, and an October 31st deadline.
The main change in these updated guidelines revolved around consent: if cookies are dropped on any website, the site owner must collect visitors' consent to use them. This consent has to be “GDPR-valid”, i.e. a freely-given consent provided by a clear and affirmative action to the use of cookies and other trackers.
In addition, the updated guide revealed that cookie walls couldn’t be used anymore, as they do not offer a valid alternative to users. In essence, publishers shouldn’t force visitors to accept the use of cookies by making a service or product conditional on that acceptance.
Under the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and the AEPD, penalties can reach up to 30,000€ for non-compliance. Websites that have been fined so far include Twitter, Innova Resort, or Petrolis Independents, for using cookies but failing to correctly inform their users.
Exceptions to Spanish cookie consent law
However, the scope of the Spanish cookie regulations reveals that not all cookies need to have valid consent from users.
Cookies that are excluded from the Spanish cookie rules include cookies used for purposes of authentication (during the session), online shopping carts, online contact for cookies to personalize the user’s interface, and plug-ins used to share on social media - but only for users who have signed up to have a social media account.
While obtaining cookie consent is generally recommended, using a cookie consent notice is not required for these situations.
Cookie consent requirements in Spain
The following elements are required to comply with Spain’s cookie consent law. All of them must be present for a website to remain in compliance with the current privacy regulations:
1. Valid consent
As a website owner or operator, you are legally required to collect the user’s valid consent.
Cookie consent must be GDPR-valid, meaning that the user must answer affirmatively that they consent to the use of cookies and other tracking while browsing the website. Consent must be a clear and affirmative action that requires the user to actually click “Yes” to accept cookies.
2. Separate consent
Separate consent to the use of cookies on a website must be put in place, as website owners must uphold certain transparency obligations to their users. Accepting cookies must be separate from the acceptance of terms and conditions of the general use of the privacy policy of the website.
3. Transparency requirements
The updated guideline states the information users should receive about cookies. It must be communicated in a clear, concise, and of course transparent way by using simple language. This information includes:
-
A generic definition of cookies
-
Information about the types of cookies used
-
The identity of whoever will use these cookies (e.g., the website owner and/or third parties)
-
Information about how to accept, reject, or revoke consent or delete cookies
-
Information about the use of profiles to make automated decisions, if applicable
-
The retention period and information on where users can find other information required under Art. 13 GDPR
4. Layered information format
A layered information format is one way in which consent can be obtained for the use of cookies. In order to do this a first and second information layer may be used.
The first information layer contains critical details about the publisher of the website, including:
-
Why and how the cookies will be used,
-
Information as to whether the cookies will be used solely by the publisher or also by third parties,
-
The type of data being collected, and
-
A visible link taking the user to the second information layer or cookie policy.
This guidance must be given to users before the installation of cookies in a format that is clear and understandable to users. The second information layer must also be clear and accessible to site visitors, and contain:
-
A description and generic function of cookies,
-
The cookie categories,
-
A "how we use cookies" statement from the website, and
-
How to accept, refuse or revoke the consent of cookies.
-
The cookie policy should always be easily accessible to users so that site visitors can easily make their cookie preferences known.
5. Accessibility and visibility of cookies
As previously noted, the cookie consent solution must be easily available. Its accessibility and visibility can be strengthened in several ways. For example, publishers can increase the size of the link to access the information, or use a different link or text than usual.
They can also position the link in areas that capture the users’ attention, use descriptive names for the link, or box, underline, or use other font techniques to highlight the importance of the cookies' visibility. Site owners can also install a button link that will stand out from other text on the website.
6. Easy withdrawal of consent
Websites are required to allow their users to withdraw consent to the use of cookies at any moment. This withdrawal must be available with a link button that, when clicked, indicates the site visitor's wish to refuse all cookies installed.
7. Cookie walls
A cookie wall requires that users accept a website's cookies policy before they can access its content. According to the new Spanish guidelines, cookie walls are not considered consent. Continued browsing without interacting with a cookie consent banner does not constitute valid consent.
8. Consent of minors
For children under 14 years, the website must try to verify that their consent to data collection has been given by a parent or guardian. Website visitors may be asked for their date of birth. If the year reveals the visitor is under age 14, the script code can then trigger an extra consent level requesting that a parent consent to the use of cookies.
In that instance, a separate html page would appear online. The parent or guardian is given a chance to preview cookie consent before making a choice. If the parent agrees to cookie policy, consent would apply to the child "as if" the child had given the consent.
9. Renewal of consent
When a user provides their valid consent to a website, its validity must not have a duration longer than 24 months. During this time span, the user will not be asked to provide valid consent every time they visit the website page on a consent management platform unless the intention of cookies has changed.
10. Liability
Websites and third parties managing cookies can highlight their relationship via contractual arrangements. These arrangements should be posted on the website so that they are clearly visible to website visitors.
What does a compliant cookie banner look like in Spain?
According to the Spanish guideline for cookies, information can be provided in two layers. The first layer must be identifiable by a generally used term such as “cookies’ and must include the following information:
-
Name of the site owner or owners
-
The website's cookie policies
-
Details as to whether third parties are involved
-
General information on the type of data being collected
-
How users can accept, set up, and reject cookie use
-
A warning revealing if the user proceeds with certain actions, they will accept the use of cookies
-
A visible link to the second layer of information containing more detailed information
How to ensure compliance with the Spanish regulation on cookies
How can website publishers implement these new rules in an effective and reliable manner? This is where our company can help. Didomi works with websites and companies to build cookie consent codes in compliance with all applicable Spanish legal requirements.
FAQs about cookie consent in Spain
Do you have questions about cookie consent in Spain? Here are some Frequently Asked Questions that might help with ensuring your website stays in accordance with the new AEPD privacy laws, how you can get a copy of the guidelines to review, and whether cookie walls are legal.
What is the AEPD Guide on the use of cookies?
The AEPD guide on the use of cookies provides all the information your company needs to know to be in accordance with the new guidelines. You can access the entire guide here.
Are cookie walls legal and is continued browsing considered a valid way to obtain consent in Spain?
No. Cookie walls are an illegal way for website owners and operators to collect users' data through the manipulative appearance of asking for consent. Continued browsing is not considered a valid way to obtain consent in Spain, since consent must be given freely and directly by the site visitor. This requirement is necessary to comply with the EU and Spanish laws.
When does the AEPD cookie guide come into force and where does it apply?
The AEPD guide came into force on October 31, 2020, and applies to website controllers in Spain.