How to comply with the Law of Cookies and avoid Sanctions in Spain

On 14 of January 2014, two Spanish businesses were fined for failing to comply with the Law of Cookies. The fines, of a relatively reduced amount (3.000 euros fine for one and 500 € fine for the other), should be understood as a call to attention for electronic businesses established in Spain or those that lend services or that advertise their services in Spanish territory.

I. Penalised behavior

It must first be understood what offence the two Spanish businesses committed and for which they were sanctioned. The decision of the Spanish Agency for Data Protection (AEPD) on 14 of January 2014 is clearly summarised in the Eighth and Tenth Proven Facts and in the Seventh and Eighth Foundations of Law.

The Eighth Proven Fact of the AEPD’s decision states the following: The use of the mentioned services”, these are Google Analytics, Youtube, Zopim, TradeDoubler, Magento and WordPress, “gives rise to the downloading of different types of cookies not exempt from the duty to provide prior information to the user that accesses the websites under its ownership.

Likewise, the Tenth Proven Fact adds: they install and use cookies, both their own and those of third parties, not exempt from the duty to provide prior information as to their storage in the users’ terminals.

As explained by the decision’s Foundations of Law, this behavior is punishable for the inability of users to express their consent or rejection to the use of the cookies. The lender of services has a duty, in the first place, to inform users, among other things, of the type of cookies that are going to be installed in their terminal and the purposes to which the installation of the cookies complies.

Once the duty of information is completed in a satisfactory way, the lender of services should also gain the user’s prior consent and verbal agreement, which will only be valid when the user has been duly informed.

The only exception to the duties of (i) prior information and (ii) duly informed express consent are exempt cookies. These cookies are characterized as limiting themselves by complying with any of the following criteria: (i) when the cookie is used only for the transmission of a communication by an electronic communications network or (ii) when the cookie is strictly necessary for the lending of a service of a company of the information expressly requested by the receiving party.

II. Applicable Sanctions

The offences and sanctions applicable to these infractions are noted in Title VII of Law 34/2002, of 11 of July, on information and electronic commerce services of companies (articles 37 to 45).

The offences described above are considered minor according to article 38.4 g): Using storage devices and data recovery when the information was not provided or the consent of the receiver was not gained for the service in the terms demanded by article 22.2.

In virtue of article 39, the commission of a minor offence is punishable with a fine of 30.000 euros. Therefore, although it is very improbable that a sanction of this quantity will be imposed without causing restraint, electronic businesses should prepare their websites to comply strictly with the obligations above, provided that they contain cookies that are not exempt.

This article is not considered as legal advice

Nicolás Melchior

A Law graduate from the Universidad Carlo III de Madrid, Nicolás Melchior specialises in corporate Law, commercial contracts and electronic commerce. Working languages: Spanish, German, English and French. For any further enquiries please Contact us