Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

At Last, the EU Cookies Regulation Is Implemented in Spain

This blog post was provided by Pablo Rivas in our Madrid Office

On April 2, after almost a year of delay, Spain published Royal Decree-Law 13/2012 requiring opt-in consent to place cookies as required by the EU e-Privacy Directive (2009/136/EC, modifying Directive 2002/58/EC).

Previously, the use of cookies by service providers was regulated by Article 22 of Law 34/2002 on Information Services and Electronic Commerce ("ISSA"), which implemented in part the EU Directive on Electronic Commerce (2000/31/EC). Under that law, when a service provider placed cookies it was required to inform users of the cookies’ existence and the purposes for which the cookies were used.  In addition, service providers had to give users an option to reject cookies using a simple and free method, unless those cookies were used to facilitate the operation of an electronic communication network or to carry out an explicit request of a user.  In practice, Spanish companies complied with this requirement by providing users with information about how to disable cookies through their web browsers.

Royal Decree-Law 13/2012 dramatically modifies Article 22 of the ISSA by requiring service providers who want to use "devices" to store and recover data on users’ equpment (including cookies) to obtain those users’ explicit consent for such use after providing them with clear and complete information about their use.  In particular, service providers now must disclose the purposes for which personal data will be processed pursuant to the Spanish data protection law. This modification makes clear the need to obtain the prior, opt-in consent of users before placing cookies, as compared to the previous law, which only required service providers to inform users of their ability to opt out.

In line with Recital (66) of Directive 2009/136/EC, service providers can still rely on the settings of a web browser or other application to provide opt-in consent, provided that users take an express action to establish the setting when installing or upgrading the browser or application, where technically feasible and effective.  Moreover, the new law does not modify the exemption in the ISSA that permits service providers to place cookies to facilitate the operation of an electronic communication network or to carry out an explicit request of a user.