CookieLaw Blog February 5, 2014

Spanish Cookie Law Fines First in EU

The first fines specifically for cookie law compliance failures have been handed out by the Spanish Data Protection Authority.  They were given to two companies running a number of jewellery websites, one of which was an online store.

Your can find the details of the decision here (in Spanish, PDF).

It is not entirely surprising that Spain was the first country to impose fines – the DPA is known for handing out more fines than any other European data protection regulator.  There is understood to be more cases under investigation there and some are speculating that other countries may soon follow suit.

The fines were handed down primarily for a failure to properly inform visitors about the use of cookies, so we have decided to take a closer look at the guidance put out in Spain by their DPA, and what is says about requirements for cookie notices.

The key elements of the requirements can be summarised as:

  • Information should be sufficiently complete to enable users to understand the purpose/uses of the cookies.
  • The site should take into account the likely audience of the site when explaining the uses of cookies, avoiding terminology that would be difficult for the average site visitor to understand.
  • They advise also that sites should assume knowledge about the uses of cookies and how to manage them is limited.
  • Information about cookies and how to manage them can be layered, but must always be accessible, even after consent has been obtained.  A specific ‘Cookie Policy’ link is advised over a generic ‘Privacy Policy’.
  • There must be information on how to revoke consent after it has been obtained.
  • Information should distinguish between first and third party cookies, and identify the third party organisations that are setting cookies.

There are also detailed guidelines for when and how to obtain consent, but I will leave those for another post for now.

Recent Posts


January 13, 2017
Future of EU Cookie Compliance Webinar: ...

GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...

View Article
Recent blog thumbnail
December 14, 2016
Draft EU ePrivacy Regulation Leaked...

A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...

View Article
Recent blog thumbnail
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...

Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...

View Article
Recent blog thumbnail
September 21, 2016
Optanon Acquired by OneTrust...

We are pleased to announce that Optanon, along with parent company Governor Technology, has been acquired by OneTrust....

View Article

Be in the Know

Subscribe to our newsletter