Thinking about Spain, data privacy might not be the first thing that comes to mind. But there’s plenty to learn beyond delicious food, sunshine, and sangria if you want to do business the right way and handle Spanish consumers’ data.
In July 2023 the Spanish Data Protection Agency (AEPD) updated its requirements on cookie consent banners in line with new directives issued by the European Data Protection Board. These new requirements have been enforced since January 11, 2024, and apply to any website with traffic coming from Spain.
This article covers the most recent changes in Spain's data privacy laws, what they mean for businesses, and how to ensure compliance.
Note: In January 2024, the AEPD released a guide on the use of cookies in Spain, including guidance on consent requirements, analytics cookies, paywalls, and more.
We crunched the numbers and put together a comprehensive benchmark about the state of data privacy and consent collection in Spain in 2024. Download it here (no email required):
The context surrounding cookie consent law in Spain
In July 2020, the Spanish Data Protection Authority (AEPD) provided an updated guide about the use of cookies, giving businesses a three-month time limit to comply and an October 31 deadline.
The main change in these updated guidelines revolved around consent: if cookies are dropped on any website, the site owner must collect visitors' consent to use them. This consent has to be “GDPR-valid”, i.e. a freely-given consent provided by a clear and affirmative action to the use of cookies and other trackers.
Under the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and the AEPD, penalties can reach up to 30,000€ for non-compliance. Some of the fines have included Twitter, Innova Resort, and Petrolis Independents for using cookies but failing to inform their users correctly.
Since then, the AEPD has updated its requirements on cookie consent banners in line with new directives issued by the European Data Protection Board. New requirements were announced in July 2023, and enforcement is set to start on January 11, 2024, applying to any website with traffic coming from Spain.
Let’s take a closer look.
How to comply with Spain’s new data privacy requirement
Here are the main elements to keep in mind ahead of January 2024:
1st layer of the consent banner
The information provided on the first layer of the consent banner must include:
- The name of the publisher of the website
- The purpose of processing cookies
- Information indicating whether the cookies belong to the publisher or to third parties
- Generic information on the type of data that will be collected and used when creating user profiles,
- How can the user accept, configure, and refuse the use of cookies?
Essentially, the first layer of the consent banner must show:
- A button or equivalent mechanism, easily visible, with the words "Accept cookies," "Accept," "Consent," or similar.
- A button or equivalent mechanism, similar to the previous one (if an accept button is used, a reject button must be used), with the words "Reject cookies," "Reject," or equivalent, to refuse the use of cookies.
- A button or equivalent mechanism, clearly visible but not necessarily similar to the above, displays or leads to a control panel (setting panel) allowing users to accept or refuse cookies on a granular basis, at least according to their purpose.
- A clearly visible link to a second layer of more detailed information is included, using, for example, the terms "Cookies," "Cookie policy" or "More information, click here." The control panel can be integrated into this second layer if this access is direct.
2nd layer of the consent banner
A control panel or settings panel can be included in the second layer of the banner. That panel must clearly indicate how to save the user's selection. For example, a button with the text "Save selection," "Save configuration" or equivalent.
Under no circumstances may pre-marked options be accepted in favor of the acceptance of cookies to obtain valid consent.
The degree of granularity when displaying the selection of cookies must be assessed by the site publisher, although it is advisable to take into account the following rules:
- Cookies should be grouped at least according to their purpose so that the user can accept cookies for one or more purposes
- Within each purpose, and at the site editor's discretion, cookies may also be grouped according to the third party responsible for them (for example, the user could choose to accept cookies from one-third party and not from another)
- In the case of third-party cookies, all you have to do is identify them by their name or by the brand name with which they are identified to the public
Methods for obtaining consent
As a reminder, the following points must be followed when collecting consent:
- A clear indication must be provided of whether consent is given solely for the web page on which it is requested or others, including other web pages of the same publisher or third parties associated with the publisher.
- The option of refusing cookies must be offered to the user at the same time, at the same level, with the same visibility as the option to accept them, and the mechanism used (button or other) must be similar, without sending them to another layer or to another location to carry out this action.
- Under no circumstances shall the mere inactivity imply the provision of consent by the user.
- Consent must be given by clear positive action
Duration of cookies
The updated guide on the use of cookies from the AEPD recommends limiting the cookies' lifespan to 13 months without automatic renewal on new visits.
Use of cookie walls
The use of cookie walls can be legal, provided that the user is sufficiently informed and that an alternative is offered to access the service without having to accept the use of cookies.
Please note that the services of the two alternatives must be truly equivalent and that the equivalent service cannot be offered by an entity other than the publisher.
{{revisá-la-guía-sobre-la-aedp}}
Deadline
The criteria included in the Guidelines must be implemented by 11 January 2024 at the latest.
Going further: Want to learn more about the impact of different types of banners on your consent rate, read insights about cookie walls, and get exclusive data on the state of consent collection in Europe? Check out our 2024 data privacy benchmark whitepaper:
How can Didomi help ensure compliance with Spanish data privacy regulations?
The team at Didomi is dedicated to helping organizations implement great Privacy UX practices, starting with ensuring compliance with global data privacy regulations.
For website publishers with traffic coming from Spain, it all starts by implementing a Consent Management Platform (CMP), which will help collect, store, and leverage consent in a compliant manner. Managing compliance with the new data privacy requirements in Spain is a seamless process in the Didomi Console, where users are able to easily add a disagree option to their banner, update its appearance to reflect guidance from the AEPD, and more.
Get in touch with our team to discuss your privacy challenges and find out how to get ready for the upcoming Spanish deadline:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
What recent changes have been made to Spain’s cookie laws?
The Spanish Data Protection Agency (AEPD) updated its requirements on cookie consent banners in July 2023 to align with new directives from the European Data Protection Board. These requirements are enforced since January 11, 2024, and apply to all websites with traffic from Spain.
What is the main change in the cookie consent requirements?
The most significant change in the updated guidelines is related to consent. Namely, websites must add a mandatory reject button on the first layer of their consent banner.
Are there exceptions to the Spanish cookie consent law?
Yes, there are exceptions. Consent is not mandatory for cookies for authentication, online shopping carts, user interface personalization, and social media sharing plugins (only for users with social media accounts).
What are the requirements for a compliant cookie consent banner in Spain?
A compliant cookie consent banner in Spain should obtain GDPR-valid consent separately from acceptance of other terms and conditions. It should provide transparent information about the cookies used, including their type and purpose, and the identity of the third party they are shared with, in clear and concise language. The banner should also facilitate easy withdrawal of consent.
What information should the first layer of a consent banner include?
The first layer must display the publisher's name, the purposes of processing cookies, information on cookie ownership (publisher or third parties), generic data type information to be collected for user profiles, and instructions on how users can accept, configure, or refuse the use of cookies.
How should consent be obtained for minors under 14 years old?
Websites should verify that consent for data collection from children under 14 has been given by a parent or guardian. This might involve asking for the user’s date of birth, and if they are under 14, triggering an extra consent level that a parent or guardian must approve.
What happens if websites do not comply with the Spanish cookie laws?
Websites that fail to comply with the Spanish cookie consent regulations may face penalties imposed by the Organic Law of Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD) and the AEPD, with fines reaching up to 30,000€.