The Spanish data protection authority updates its “Guide on the use of cookies” establishing new obligations to be fulfilled by companies before October 31



On July 28, 2020, the Spanish data protection authority- La Agencia Española de Protección de Datos (AEPD) - published the latest update of the "Guide on the use of cookies" (from now on the Guide) replacing its previous version, which had been issued on November 12, 2019.

The Spanish data protection authority enabled a transitional period of three months before the definitive entry into force of the Guide. However, this period is now coming to an end and in order to avoid sanctions, companies must adapt their cookie policy to the new Guide by October 31.

What are the main updates contained in the latest version of the Guide?

This recent update aligns the Spanish DPA’s position to that of the European Data Protection Board’s (EPBD) Guidelines 05/2020 of May 4 2020 regarding consent, namely on two main aspects:

  1. The lack of validity of the "continue browsing" option for collecting the users’ consent and;
  2. The prohibition of the so-called "cookie walls".

1. "Continue browsing" does not imply consent

The latest update of the Guide requires the user to perform an undoubtedly positive action, in order for consent to be validly granted. In this regard, the AEPD recommends companies to include two different buttons on websites, by which the user can accept, reject/set up cookies.  Otherwise, it is suggested to complete the information appearing in the first layer with a configuration panel (or a link to it) in which the user can accept or reject the cookies in a granular manner. In this sense, it is important to note that when providing information through layers, the first layer must contain the most essential information to be displayed when users access the webpage, such as the purpose of the cookies.

Notwithstanding the foregoing, the AEPD expressly establishes that it might be valid to obtain consent by users through conducts other than by electing an acceptance box, provided that such actions offer enough certainty that informed and unequivocal consent is given. In addition, the performance of such conduct by the user must be demonstrable.

The aforementioned update represents a major shift on the AEPD’s guidance. According to the previous version of the Guide (published in November 2019), browsing into a different section (other than the second informative layer or the privacy policy), closing down the announcement appearing in the first layer, scrolling down or interacting with the content of a website were considered as valid methods for giving consent on the part of users.

On the contrary, after the publication of the latest version in July 2020, it can no longer be considered that merely entering into a website, scrolling down or browsing, are methods of validly and unequivocally granting consent by users. Indeed, following the clarifications made by the AEPD, these actions cannot under any circumstances be understood as affirmative actions, since they can be confused with other interactions of the user. As a result, the conduct of the user of “continue browsing” is not a means to voluntary and unequivocally give consent.

2. Prohibition of "cookie walls"

"Cookie walls" limit access, in part or in full, to services or content of a particular website to users who do not accept the use of cookies.

The latest update of the Guide shows a more restrictive stance on "cookie walls", as it considers that the user must give his or her consent freely and that access to the services and functionalities of a website cannot be made conditional on the acceptance of the use of cookies. In spite of the above-mentioned, the AEPD admits the possibility of using cookie walls when the user is informed and an equivalent alternative to the service or content, without accepting the use of cookies, is offered.

It is important to note, that prior to the adaptation of the Guide, the AEPD allowed the use of "cookie walls" with almost no restrictions. In fact, the only case in which the use of cookie walls was prohibited, was when the denial of access to the website hindered the only means provided to exercise a legally recognized right of the user.

What are the penalties for not complying with the Guide?

In the Spanish legislative system, article 22.2 of the Act 34/2002 on Information Society Services and Electronic Commerce, legitimizes companies to install cookies. However, it sets out the obligation to inform users in advance and to obtain their valid consent. As a consequence of this legal regulation, the AEPD is able of initiating sanction procedures against companies who do not comply with these obligations.

In this context, it should be noted that sanctions for cookie infringement, as regulated in Act 34/2002, range from 30.000 euros for minor infringements to 600.000 euros for very serious offenses. In order to determine the severity of the sanctions, the AEPD takes into account factors such as the intentionality, the recurrence of the infringer or the period during which the infringement has been committed. Moreover, the Spanish data protection authority moderates the sanctions by considering mitigating circumstances, such as, diligently regularizing the situation, the acknowledgement of guilt by the offender or, in a scenario of merger by absorption, when the sanction is prior to the absorption process and it is not attributable to the absorbing entity.

By way of example, one of the latest sanctions imposed by the AEPD was enforced, in June 2020, against a well-known social network for installing "unnecessary cookies" without informing and correctly obtaining consent on the part of users. The sanction procedure, which was initiated following an individual’s complaint, ended with the imposition of a fine of 30.000 euros to the company. Likewise, in January 2019, the AEPD imposed a fine of 10.000 euros to the Spanish subsidiary of a multinational company for installing cookies without previously obtaining the informed consent of users. In the latter case, the Spanish Data Protection authority ended up reducing the amount of the sanction by taking into consideration mitigating factors.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.