Definition
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.
Excerpt
The recipient may revoke the consent given to receive commercial communications at any time by simply notifying the sender of his wishes. For this purpose, service providers must enable simple and free procedures so that service recipients can revoke the consent they have given. When the communications have been sent by email, said means must necessarily consist of the inclusion of an email address or other valid electronic address where this right can be exercised, and the sending of communications that do not include said address is prohibited. Likewise, they must provide information accessible by electronic means on said procedures.
Service providers may use data storage and retrieval devices on recipients' terminal equipment, provided that they have given their consent after being provided with clear and complete information on their use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13, on the protection of personal data.
When technically possible and effective, the consent of the recipient to accept the processing of the data may be provided through the use of the appropriate parameters of the browser or other applications.
The foregoing will not prevent the possible storage or access of a technical nature for the sole purpose of transmitting a communication over an electronic communications network or, to the extent that it is strictly necessary, for the provision of an information society service. expressly requested by the recipient.
Related cases
The PREICO JURÍDICOS website was fined by the Spanish DPA for violating regulations regarding the use of cookies. The website was found to have used non-technical and non-necessary cookies without obtaining proper consent, failed to display an appropriate cookie banner, and provided insufficient information in its Cookies Policy.
The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.
The Spanish DPA found an online clothing store responsible for handling personal data without consent from the people involved, not having a privacy policy in place, and using unnecessary cookies without informing users properly through a cookie banner.
The Spanish DPA imposed a fine on an adult content website for violating data protection regulations. The website was penalised for using cookies without providing adequate information about their nature and purposes, as well as for having an outdated privacy policy that did not comply with the GDPR.
The Spanish Data Protection Authority (DPA) has fined an airline for violating cookie regulations on their website. The airline failed to give users a choice, provide sufficient information, and allow users to reject all cookies at once.
Marbella Resorts was fined by the Spanish DPA for not having a data processing agreement with the processor and for violating the Spanish Law on cookies by placing unnecessary cookies without user consent.
The Spanish DPA (AEPD) imposed a fine on a radio station for not including a link to their cookie policy in the cookie banner and for placing non-essential cookies on user devices without obtaining prior consent.
The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.
Abanca Corporación Bancaria was found to be using unnecessary cookies on its website without obtaining prior consent from users, leading to a fine by the Spanish Data Protection Agency (AEPD).
The Washpoint SL was fined by the Spanish DPA (AEPD) for two violations: first, the absence of a Privacy Policy on their website; and second, the absence of a reject button on the second layer of their Cookie Policy.
The Spanish DPA (AEPD) fined ASOCAPAC for insufficient information provided on the first layer of the cookie banner and the missing "refuse all cookies" option in the cookie policy on their website.
The Spanish DPA (AEPD) fined Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) for publishing illegal recordings on its website and dropping Google Analytics cookies without user consent. Additionally, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.
The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.
The Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes that enabled non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."
A controller was fined by the AEPD for inadequate cookie information on its website, including a lack of information on tracking cookies and a vague cookie policy without an easy uninstall tool.
ARANOW PACKAGING MACHINERY, S.L was fined by AEPD for violations related to its Cookie Policy. AEPD conducted an investigation that included an examination of the information provided in the Cookie Policy, including details on the use of cookies and data collected. AEPD also looked for any mechanism to reject all cookies, but found none.
Miguel Ibáñez Bezanilla was fined by the Spanish DPA for multiple violations related to his website. These included the absence of a banner on cookies usage, insufficient information on the identity, features, and length of cookies, and the lack of an option to refuse them. The website was found to be technically unsafe, the privacy policy was not updated, and the provided cookie information was inadequate.
Just Landed, a Spanish entity, has been fined by the Spanish DPA for having a privacy policy written only in English and not providing a mechanism to accept, reject or manage cookies.
Iweb Internet Learning, S.L. was fined by the Spanish Data Protection Agency for failing to identify the data controller, not allowing separate consent for each purpose, and providing insufficient information on the use of cookies.
The Spanish DPA fined a online genealogy platform for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.
Canary Click Consulting website was held liable for failure to provide information about the storage or deletion of their data and for not providing an option to reject cookies.