News

At Last, the EU Cookies Regulation Is Implemented in Spain

10 April 2012
Image
Image

On April 2, after almost a year of delay, Spain published Royal Decree-Law 13/2012 requiring opt-in consent to place cookies as required by the EU e-Privacy Directive (2009/136/EC, modifying Directive 2002/58/EC).

Previously, the use of cookies by service providers was regulated by Article 22 of Law 34/2002 on Information Services and Electronic Commerce ("ISSA"), which implemented in part the EU Directive on Electronic Commerce (2000/31/EC). Under that law, when a service provider placed cookies it was required to inform users of the cookies’ existence and the purposes for which the cookies were used.  In addition, service providers had to give users an option to reject cookies using a simple and free method, unless those cookies were used to facilitate the operation of an electronic communication network or to carry out an explicit request of a user.  In practice, Spanish companies complied with this requirement by providing users with information about how to disable cookies through their web browsers.

Royal Decree-Law 13/2012 dramatically modifies Article 22 of the ISSA by requiring service providers who want to use "devices" to store and recover data on users’ equpment (including cookies) to obtain those users’ explicit consent for such use after providing them with clear and complete information about their use.  In particular, service providers now must disclose the purposes for which personal data will be processed pursuant to the Spanish data protection law. This modification makes clear the need to obtain the prior, opt-in consent of users before placing cookies, as compared to the previous law, which only required service providers to inform users of their ability to opt out.

In line with Recital (66) of Directive 2009/136/EC, service providers can still rely on the settings of a web browser or other application to provide opt-in consent, provided that users take an express action to establish the setting when installing or upgrading the browser or application, where technically feasible and effective.  Moreover, the new law does not modify the exemption in the ISSA that permits service providers to place cookies to facilitate the operation of an electronic communication network or to carry out an explicit request of a user.

 

Authored by Pablo Rivas.

Related topics

Related countries

Load more

Related keywords

Load more

Articles you may be interested in

image_1
Insights and Analysis

End-to-end encryption: obstacle or pillar of national security?

07 April 2025
image_1
News

Latombe Case: First hearing for annulment of the EU-U.S. Data Privacy Framework

02 April 2025
image_1
News

Connected vehicles: CNIL’s consultation promotes driver’s consent over fraud and car theft

01 April 2025
image_1
News

Streamlined BCR approval: Understanding the EDPB's updated procedure

31 March 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | What it means for connected products and related services

27 March 2025
image_1
News

Gender and GDPR: does the right to rectification override civil registry records?

25 March 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | Impact on cloud providers and cloud users

20 March 2025
image_1
News

The Data Chronicles | Unlocking the EU Data Act | What you need to know

13 March 2025
image_1
News

New CNIL’s guidelines on AI models: a practical approach amidst EU’s regulatory tangles

18 February 2025
left_arrow
right_arrow

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register