Spanish DPA Levies First EU Fines For Not Obtaining Cookies Consent

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Brett Allan King

Feb. 12 --The Spanish Data Protection Agency (AEPD) has fined two companies for using cookies without obtaining informed consumer consent, a move one lawyer said Feb. 12 is the AEPD's first ruling penalizing the improper use of cookies and the first cookies tracking fine levied in the European Union (In re Navas Joyeros Importadores, S.L., AEPD, No. PS/00321/2013 1/14/14).

In a resolution, the AEPD in January ordered two Spanish companies to pay small fines for “minor” violations of Spain's data protection and information society services laws, due to their failure to obtain informed consumer consent and to clearly communicate the purpose and usage of cookies.

The AEPD fined jeweler Navas Joyeros Importadores S.L. 1,500 euros ($2,045) for violating Articles 5.1 and 5.2 of the Spanish Data Protection Act (LOPD, Organic Law 15/1999) and 3,000 euros ($4,103) for violating Article 22.2 of the Information Society and Electronic Commerce Services Act (LSSI, Law 34/2002). The AEPD also fined jeweler Privilegia Luxury Experience S.L. 500 euros ($687) for violating Article 22.2 of the LSSI.

It concluded that information regarding the companies' cookies wasn't “complete and clear, particularly with regard to the types of cookies used, their objective, and the identities of those who install and use the cookies, which would invalidate any consent given by users that 'Accept’ the 'Cookies Policy’ or continue to surf the websites.”

Although the fines were small even for minor infractions of these laws, this is the first ruling to specifically target the nonconsensual use of cookies and to establish an enforcement precedent in the aftermath of the AEPD's recent guidance on how companies should apply recent cookie regulations, Elisa Lorenzo, an associate at DLA Piper in Madrid, told Bloomberg BNA.

Insight on AEPD Enforcement

Royal Decree-Law 13/2012, which took effect in April 2012, altered the LSSI to put Spain in compliance with the European Union's e-Privacy Directive (2009/136/EC) . The e-Privacy Directive requires websites to obtain user consent before placing cookies on their computers.

Given ambiguous and generalized language on cookies in recent modifications to the LOPD and LSSI aimed at putting Spain in compliance with the directive, the AEPD did not previously enforce the new regulations in the absence of guidance to clarify its own interpretation of how companies should proceed, Lorenzo said.

Created with the help of industry representatives, the AEPD in 2013 issued guidance to aid company compliance with the new regulations .

Sending a Message

According to Lorenzo, the AEPD's ruling follows past patterns for the enforcement of newly established rules in which the agency issues “very moderate” fines to send companies an initial message “that this is not a warning, but something more serious” that will lead to more vigorous enforcement over the coming months.

The AEPD's next steps will likely track the steps it took with new anti-spam legislation, “meaning that the Agency will be vigilant, and as the complaints come in it will react with larger fines in order to get people to comply strictly with its guidance notes,” Lorenzo said.

The AEPD's enforcement of new legislation tends to bring fines small enough to avert company appeals of the ruling, while at the same time setting a precedent for more vigorous enforcement later on, she said.

By not appealing these sentences, companies are essentially helping to create jurisprudence upholding the AEPD's interpretation of the law, she said.


To contact the reporter on this story: Brett Allan King in Madrid at

To contact the editor responsible for this story: Katie W. Johnson at

Resolution R/02990/2013 is available, in Spanish, at

Request Bloomberg Law Privacy and Data Security