This blog post was provided by Pablo Rivas in our Madrid Office
On April 2, after almost a year of delay, Spain published Royal Decree-Law 13/2012 requiring opt-in consent to place cookies as required by the EU e-Privacy Directive (2009/136/EC, modifying Directive 2002/58/EC).
Royal Decree-Law 13/2012 dramatically modifies Article 22 of the ISSA by requiring service providers who want to use "devices" to store and recover data on users’ equpment (including cookies) to obtain those users’ explicit consent for such use after providing them with clear and complete information about their use. In particular, service providers now must disclose the purposes for which personal data will be processed pursuant to the Spanish data protection law. This modification makes clear the need to obtain the prior, opt-in consent of users before placing cookies, as compared to the previous law, which only required service providers to inform users of their ability to opt out.
In line with Recital (66) of Directive 2009/136/EC, service providers can still rely on the settings of a web browser or other application to provide opt-in consent, provided that users take an express action to establish the setting when installing or upgrading the browser or application, where technically feasible and effective. Moreover, the new law does not modify the exemption in the ISSA that permits service providers to place cookies to facilitate the operation of an electronic communication network or to carry out an explicit request of a user.