Spanish law of cookies (normative European)

The law of cookies is the transposition in Spain of Directive 2009/136/CE, integrated in our ordering by means of the modification of section 2 of article 22 of Law 34/2002, of 11 of July, Services of the Society of the Information and of Comercio Electrónico (LSSI-CE).

That is the Spanish norm of cookies?

One is a modification that affects to the way in that we can store in the navigator the information on the visitors and users of our websites, and is an adaptation of a directive of European scope that gradually all the countries of the EU are adopting. It is what Law of cookies has been called.

This called norm Law is not so, but it is only article 22 of the LSSI, that says something as concise as the following thing:

The lenders of services will be able to use data retrieval and storage devices in terminal teams of the adressees, on condition that the same have given their consent after clear information has been facilitated them and completes on its use, in particular, on the aims of the treatment of the data, in accordance with the arranged thing in Statutory law 15/1999, of 13 of December, Protection of Personal Character data.

When he is technically possible and effective, the consent of the adressee to accept the treatment of the data will be able to be facilitated by means of the use of the suitable parameters of the navigator or of other applications, whenever that one must come to its configuration during its installation or update by means of an action expresses to this end.

The previous thing will not prevent the possible storage or access of technical nature to the aim to only carry out the transmission of a communication by an electronic communications network or, in the measurement that is strictly necessary, for the benefit of a service of the society of the information specifically asked for by the adressee.

This implies the illegality to store information of any type in the navigator of the user who is going to be available enters visits without the previous consent of this one.

We must inform to the users into our Web into clear way envelope what cookies we are going to keep in its computer before doing it. And it includes not only the own cookies that we can generate with our applications, but also the cookies of third parties that could use: this includes for example those of Google Analytics, Google Maps, Google Adsense, Youtube, Vimeo, Faceboook, Linkedin, other bellboys of social networks, etc

It affects webpage or personal blog?

If your page is not commercial you are not affected by the LSSI. That yes, if you include banners to try to enter something by publicity or if you have payment bellboys to sell some product (for example a small electronic book or what is), or if you use it with any aim that can be considered minimumly commercial, then yes will be affected.


In this guide one settles down more or less with clarity what cookies would be within the exceptions that the mentioned article of the LSSI-CE establishes, that is to say, those cookies that stop their installation and use in this way do not require the consent previous and informed into the users, facilitating their identification. Also, aside from enunciating the excepted, divided cookies in two general categories based on his purpose, these they are, those that only allow the communication between the equipment of the user and the network and those who serve to serve specifically asked for by the user, picks up a Ruling issued by the Work group of Article 29, where an interpretation of the exceptions of the norm is realised and in which specific what type of cookies would be included within the general categories before mentioned, concretely we are talking about to the following:

  • Cookies of session and entrance of user, as for example, those that are used to track the actions of the user at the time of filling in the forms Web, as the baskets of the purchase.
  • Cookies of identification and/or authentication.
  • Cookies of security, as the used ones to detect erroneous and repeated attempts from connection to a website.
  • Cookies of session of reproductive multimedia that is used to store the engineering datas necessary to reproduce contents of audio video or, as quality of the image, speed of connection to the network and parameters of temporary storage.
  • Cookies of session to balance the load, is a technical cookie, that is used for, for example, to identify the reserve servant towards which the load adjuster will redirigirá the requests correctly Web of the users.
  • Cookies of personalisation of the user interface that is used to store a preference of the user in relation to the visited webpage, as it can be the preference of the language.
  • Cookies of complement (plug-in) to interchange social contents, that is to say, is cookies of third parties that are used to share social contents by the members connected to a social network, this exception only is plicable to users connected to the network, reason why to the connected users it is not necessary to inform to them explicitly into previous form to his installation.  

That is to say, that all those cookies that are not within one of the two mentioned general categories and do not fulfill some of the purposes previously described will have, to successfully obtain, with previous character to its installation, the consent informed into the users.

Google Analytics and other tools of statistics of visits.

Another essential part of cuaquier website is the necessity to analyze the traffic that receives. It allows to anonymously know questions fundamental to improve the marketing and the center of our website or our application: from where our visitors come, what key words search have used to arrive, how long throw in the site, what routes follow, in what point leave a purchase process. Essential.

The most habitual tool of analysis and that uses a high percentage of the websites is Google Analytics. It is gratuitous and easy to start up and offers a really good anonymous analysis.

Social networks

It is common to place in your webpage bellboys of social networks, as much to allow that they follow to you or to your company, as fomenting that they share articles, products and other contents in the different social networks. In addition the social networks integrate in our pages and applications of many other forms: in order to make commentaries, with posts contracted, accountants of sharing of pages At present the main social networks are present in a great majority of the webpages of third parties, and it is possible to be considered in many cases that are an almost indispensable part.

What says the European directive with respect to the cookies of these social networks?

Firstly it distinguishes between the users who are with their session opened in the social networks and those that do not have it open or do not belong to the network. First one assumes that they are conscious of it and that they know that the networks in which they are to them watching reason why it is not necessary to warn of the cookies put by the bellboys and accessories to them of these sites that there are in our page. To the other users (if they are not registered or they do not have the open session) it is necessary to warn to them and in addition to prevent the writing of the cookies until they allow explicitly to it.

Actually you do not have form to know if the user is connected or no, reason why must control these cookies. Although you are not the one that puts those cookies in your page or application, and although you do not benefit either from the profiles that elaborate, if a usuary one denounces the person in charge will be your company and not it social network or the other people's application that has created the cookie. So we do not have left more remedy than to control this fact and being we those that we do not allow that those cookies keep until the user from their consent.

And if the page of my company is lodged in another people's platform (Wordpress, Blogger, Facebook, LinkedIn)?

IN THIS CASE IT DOES NOT FULFILL THE NORM. The fact that they are these services, outside your control, those that put the cookies and not you, do not exempt to you of the responsibility that implies article 22 of the LSSI. It is your company as responsible for the page the person in charge also to fulfill the legislation and to inform and to request the consent for the use of the cookies. If they denounce to you the person in charge is your company and not it company that serves to you.

So if you have the page of your company in, for example, attention because the Law of cookies will be being been failing to fulfill by defect since a cookie of pursuit of the Automatic company will be generated automatically (mother of Wordpress) and above in the USA, and so it is international transmission of personal data (if you requested them in the page, although the connection IP counts as personal data, so EYE).

The same if you have a company page on Facebook, LinkedIn or Google+, something very habitual. Although I doubt that nobody is going to you to denounce for that reason (and they are going to him to make case), but the certain thing is that it would go against the LSSI and its article 22.

Bond with showing a warning?

No, the law forces to inform into clear, exhaustive and previous way to the installation, of the not-exempt cookies that can have in your website. If you install the cookies and soon you inform nonbond don't mention it.


The sanction by the slight breach (Art. 38.4.g LSSI) of the Law of Cookies (Art. 22,2 LSSI) is of 300 up to 30,000 (art 39.1.c LSSI). The sanction could be of until 150.000‚¬ (Art. 39.b LSSI) if the breach were significant (Art. 38.3.i LSSI).

This implies it necessity to adapt its Web to the norm to avoid the risk of the indicated penalties.

(sources and more information in and