Thinking about Spain, data privacy might not be the first thing that comes to mind. But there’s plenty to learn beyond delicious food, sunshine and sangria if you want to do business the right way and handle Spanish consumers’ data.
In this article, we go over the most recent changes in Spain's cookie laws, what they mean for businesses and how to ensure compliance. Keep on reading to learn more and get a clear picture of all the requirements for your organization.
How to ensure compliance with the Spanish regulation on cookies
Cookie consent law in Spain
Under the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and the AEPD, penalties can reach up to 30,000€ for non-compliance. Websites that have been fined so far include Twitter, Innova Resort, or Petrolis Independents, for using cookies but failing to correctly inform their users.
Exceptions to Spanish cookie consent law
However, the scope of the Spanish cookie regulations reveals that not all cookies need to have valid consent from users.
Cookies that are excluded from the Spanish cookie rules include cookies used for purposes of authentication (during the session), online shopping carts, online contact for cookies to personalize the user’s interface, and plug-ins used to share on social media - but only for users who have signed up to have a social media account.
While obtaining cookie consent is generally recommended, using a cookie consent notice is not required for these situations.
Cookie consent requirements in Spain
The following elements are required to comply with Spain’s cookie consent law. All of them must be present for a website to remain in compliance with the current privacy regulations:
1. Valid consent
As a website owner or operator, you are legally required to collect the user’s valid consent.
2. Separate consent
3. Transparency requirements
The updated guideline states the information users should receive about cookies. It must be communicated in a clear, concise, and of course transparent way by using simple language. This information includes:
A generic definition of cookies
Information about the types of cookies used
The identity of whoever will use these cookies (e.g., the website owner and/or third parties)
Information about how to accept, reject, or revoke consent or delete cookies
Information about the use of profiles to make automated decisions, if applicable
The retention period and information on where users can find other information required under Art. 13 GDPR
4. Layered information format
The first information layer contains critical details about the publisher of the website, including:
Why and how the cookies will be used,
Information as to whether the cookies will be used solely by the publisher or also by third parties,
The type of data being collected, and
This guidance must be given to users before the installation of cookies in a format that is clear and understandable to users. The second information layer must also be clear and accessible to site visitors, and contain:
A description and generic function of cookies,
The cookie categories,
How to accept, refuse or revoke the consent of cookies.
5. Accessibility and visibility of cookies
As previously noted, the cookie consent solution must be easily available. Its accessibility and visibility can be strengthened in several ways. For example, publishers can increase the size of the link to access the information, or use a different link or text than usual.
They can also position the link in areas that capture the users’ attention, use descriptive names for the link, or box, underline, or use other font techniques to highlight the importance of the cookies' visibility. Site owners can also install a button link that will stand out from other text on the website.
6. Easy withdrawal of consent
7. Cookie walls
A cookie wall requires that users accept a website's cookies policy before they can access its content. According to the new Spanish guidelines, cookie walls are not considered consent. Continued browsing without interacting with a cookie consent banner does not constitute valid consent.
8. Consent of minors
9. Renewal of consent
When a user provides their valid consent to a website, its validity must not have a duration longer than 24 months. During this time span, the user will not be asked to provide valid consent every time they visit the website page on a consent management platform unless the intention of cookies has changed.
Websites and third parties managing cookies can highlight their relationship via contractual arrangements. These arrangements should be posted on the website so that they are clearly visible to website visitors.
What does a compliant cookie banner look like in Spain?
According to the Spanish guideline for cookies, information can be provided in two layers. The first layer must be identifiable by a generally used term such as “cookies’ and must include the following information:
Name of the site owner or owners
The website's cookie policies
Details as to whether third parties are involved
General information on the type of data being collected
How users can accept, set up, and reject cookie use
A visible link to the second layer of information containing more detailed information
How to ensure compliance with the Spanish regulation on cookies
How can website publishers implement these new rules in an effective and reliable manner? This is where our company can help. Didomi works with websites and companies to build cookie consent codes in compliance with all applicable Spanish legal requirements.
FAQs about cookie consent in Spain
Do you have questions about cookie consent in Spain? Here are some Frequently Asked Questions that might help with ensuring your website stays in accordance with the new AEPD privacy laws, how you can get a copy of the guidelines to review, and whether cookie walls are legal.
Are cookie walls legal and is continued browsing considered a valid way to obtain consent in Spain?
No. Cookie walls are an illegal way for website owners and operators to collect users' data through the manipulative appearance of asking for consent. Continued browsing is not considered a valid way to obtain consent in Spain, since consent must be given freely and directly by the site visitor. This requirement is necessary to comply with the EU and Spanish laws.
When does the AEPD cookie guide come into force and where does it apply?
The AEPD guide came into force on October 31, 2020, and applies to website controllers in Spain.