Cookies under Spanish data protection law

In September 2019 a fine of €30,000 was imposed on VUELING AIRLINES, S.L. It had prevented website visitors from managing their cookies and those of third parties with an easily accessible tool.
There are very detailed requirements regarding the use of cookies and similar technologies to information society service providers in Spain.
In November 2019, the AEPD published a guide in Spanish on the use of cookies and similar technologies (hereinafter referred to as cookies). It allows companies to use cookies on their websites in a legally compliant manner and offers detailed explanations and formulation examples. The key points are as follows:

Fulfilment of information obligations

  • To the user, cookies must be explained in a transparent form. In particular, information on the mode of operation of the respective cookie, storage period, data transfer to third parties and third countries, objection and revocation modalities, profiling and all other information in accordance with Art. 13 GDPR must be provided. This may be implemented in the form of a cookie policy.
  • The information must be easily accessible, e.g. through a designated link in a prominent location.
  • Information can be made available to users in a layered form. Especially, this form of presentation may be implemented in a Consent Management System.
  • Information on cookies can also be made available to users on another medium (e.g. an offline information sheet).

Obtaining consent

  • Users cannot consent to the use of cookies solely by browsing a website. A clearly affirmative action is the minimum requirement for effectively given consent.
  • Users must be able to refuse cookies, giving them an actual right to choose. In special cases, it is possible to deviate from this.
  • Consent can be obtained, for example, before downloading an app, when setting up an app, via a consent banner or via the user’s browser settings (the latter only under strict conditions).
  • Cookies at the first layer must at least be grouped by their purpose (e.g. website analysis and marketing). This allows the user to make an informed choice. It is not recommended to enable individual selection of each cookie, as this leads to information overload.
  • The consent must be verifiable.
  • Revocation and objection settings must be accessible at all times. Placement of such settings in the cookie policy is permitted.
  • The revocation of consent must be as simple as giving it and must be possible at any time.
  • Regarding minors under the age of 14, consent must be obtained from their legal guardian. According to the risk caused by the cookie, reasonable efforts must be taken to verify the declaring person.
  • A website operator may obtain consent for several Internet sites at once, provided he gives sufficient information. Internet sites with deviating content (e.g. websites with content harmful to minors) must be clearly indicated.
  • Users can also give their consent on another medium (e.g. offline registration card).
  • In the opinion of the AEPD, at the latest every 24 months consent must be obtained anew.

An exception exists for cookies, which solely establish the connection between the terminal device and the network or provide a service expressly requested by the user. Therefore, no consent is required for the following cookie-based functions:

  • Auto-Fill;
  • Authentication;
  • Security;
  • Multimedia Playback;
  • Website interface personalization (e.g. user selects language) and
  • Social media plugins (very limited).

If personal data is processed using cookies, the information obligations in accordance with Art. 13 GDPR must nevertheless be fulfilled.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: