On 14 of January 2014, two Spanish businesses were fined for failing to comply with the Law of Cookies. The fines, of a relatively reduced amount (3.000 euros fine for one and 500 € fine for the other), should be understood as a call to attention for electronic businesses established in Spain or those that lend services or that advertise their services in Spanish territory.
Penalised behaviour
It must first be understood what offence the two Spanish businesses committed and for which they were sanctioned. The decision of the Spanish Agency for Data Protection (AEPD) on 14 January 2014 is summarised in the Eighth and Tenth Proven Facts and the Seventh and Eighth Foundations of Law.
The Eighth Proven Fact of the AEPD’s decision states the following: The use of the mentioned services, these are Google Analytics, Youtube, Zopim, TradeDoubler, Magento and WordPress, gives rise to the downloading of different types of cookies not exempt from the duty to provide prior information to the user that accesses the websites under its ownership.
Likewise, the Tenth Proven Fact adds: that they install and use cookies, both their own and those of third parties, not exempt from the duty to provide prior information as to their storage in the users’ terminals.
As explained by the decision’s Foundations of Law, this behaviour is punishable for the inability of users to express their consent or rejection of the use of the cookies. The lender of services has a duty, in the first place, to inform users, among other things, of the type of cookies that are going to be installed in their terminal and the purposes to which the installation of the cookies complies.
Once the duty of information is completed satisfactorily, the lender of services should also gain the user’s prior consent and verbal agreement, which will only be valid when the user has been duly informed.
The only exception to the duties of (i) prior information and (ii) duly informed express consent are exempt cookies. These cookies are characterized as limiting themselves by complying with any of the following criteria: (i) when the cookie is used only for the transmission of a communication by an electronic communications network or (ii) when the cookie is strictly necessary for the lending of a service of a company of the information expressly requested by the receiving party.
Applicable Sanctions
The offences and sanctions applicable to these infractions are noted in Title VII of Law 34/2002, of 11 July, on information and electronic commerce services of companies (articles 37 to 45).
The offences described above are considered minor according to article 38.4 g): Using storage devices and data recovery when the information was not provided or the consent of the receiver was not gained for the service in the terms demanded by article 22.2.
In virtue of Article 39, the commission of a minor offence is punishable with a fine of 30.000 euros. Therefore, although it is very improbable that a sanction of this quantity will be imposed without causing restraint, electronic businesses should prepare their websites to comply strictly with the obligations above, provided that they contain cookies that are not exempt.
For additional information,