The Spanish data protection authority, the AEPD, has issued the first European cookie fine for the violation of Article 22.2 of Spain’s Information Society Services and Electronic Communications Law 34/2002 (Spanish E-Commerce Act), as amended by Royal Decree Law 13/2012 which implements the e-Privacy Directive (Directive 2002/58).

On 29 April 2013, the AEPD issued guidelines on the use of cookies (Cookies Guide). This guide clarified how to interpret Article 22.2 of the Spanish E-Commerce Act. This guidance recommends that information on the use of cookies must be sufficiently visible, provided in one of the following ways:

  1. In the heading or foot page of the website
  2. Through the website Terms & Conditions
  3. Through a banner which offers information in a layered approach
    • First layer: highlighting essential information about the use of cookies, including the relevant purpose, also detailing the existence of any third-party cookies
    • Second layer: link to a cookies policy with more detailed information on cookie use, specifically the definition and function of each cookie, information about the types of cookies used, information about how to delete cookies and identification of all parties who place cookies

The Cookies Guide also clarifies the way in which consent to cookies must be obtained. This includes:

  • Acceptance of website terms and conditions or privacy policy
  • Configuration of browser functions
  • Feature led when a website offers a new function
  • Download of specific website content
  • Configuration of website functions

Implied consent can only be deemed from a user’s specific action, as opposed to inactivity, such as the use of a scroll bar in the vicinity of where cookies information was highly visible, or otherwise clicking on website content.

In July 2013, four months after issuing the Cookies Guide, the AEPD began investigations into Navas Joyeros S.L and Luxury Experience S.L and their use of cookies for their promotional websites. Article 38.4(g) of the Spanish E-Commerce Act empowered the AEPD to impose monetary penalties totalling €3500 against both companies. In the Resolution No. R/02990/2013, the AEPD declared the companies had failed to provide sufficiently clear and comprehensive information about the use of cookies in violation of Article 22.2 of the Spanish E Commerce Act. Specifically, the information on cookie use was not provided in the layered manner required by the AEPD’s Cookies Guide. Furthermore the notices neglected to detail the cookies used or the types of cookies set, merely specifying broad purposes for the use of cookies and omitting to mention which cookies were controlled by the website or by third parties, and failing to provide website users with information about how to deactivate cookies or revoke consent to their use.

The AEPD’s landmark decision has resulted in the first EU cookie fine being issued, and could well set the precedent for further penalties in the future for website operators with slack cookie practices.