Spain has introduced a far-reaching legal framework to protect minors online, requiring businesses to adopt proactive compliance with new digital safety and data protection obligations.
Spain is advancing comprehensive legislative reforms aimed at strengthening protections for children and adolescents in the digital environment. The proposed Ley Orgánica de protección de menores en entornos digitales (Organic Law for the Protection of Minors in Digital Environments), announced in June 2024 and expected to be submitted to Parliament following advisory review, forms part of a wider national strategy involving updates to criminal law, regulatory obligations for digital service providers, and the promotion of digital literacy across schools, families, and professional sectors. With age verification, default parental controls, and platform accountability at the heart of this framework, the initiative sets a new benchmark within the EU for child-centred digital regulation.
Spain’s legislative response reflects increasing concern about the risks minors face online and the inadequacy of reactive enforcement models.
The draft law reflects a shift in legislative philosophy: from responding to digital harms after the fact to designing structural, preventive safeguards that reduce minors’ exposure to inappropriate content, harmful behaviours, and data misuse. This includes a legal obligation to implement child-friendly age verification mechanisms, criminal law reforms targeting online grooming and deepfake pornography, and proactive measures to support families and professionals in identifying and managing digital risks. The Spanish government has indicated a clear intention to lead the EU debate on harmonising child safety measures online.
The law imposes significant obligations on businesses that offer digital services accessible to minors.
Under the draft legislation, manufacturers of digital devices must ensure that parental control tools are enabled by default and that devices carry clear risk labelling. Platforms—including social media and video-sharing services—must incorporate age verification systems and parental controls that are both visible and accessible to users. Influencers, too, will fall within the scope of regulation, as part of efforts to mitigate the indirect influence of commercial content on minors. Perhaps most notably, the law prohibits the use of random reward mechanisms (loot boxes) in video games accessed by children, reflecting growing concern about addictive design and behavioural manipulation in digital products.
The Spanish Data Protection Agency (AEPD) has reinforced the need for privacy-respecting, effective age verification as a cornerstone of digital child protection.
In October 2024, the AEPD published an analytical paper, A Safe Internet by Default for Children and the Role of Age Verification, which emphasised the importance of proactive compliance with data protection principles under the GDPR. The agency warned against surveillance-based models that risk exposing children to new forms of profiling, exploitation, or loss of anonymity. It instead advocates for systems where the burden of proof remains on the person attempting to access restricted content—never on the child. Importantly, age verification tools should be designed to confirm whether the user exceeds the minimum age threshold, rather than collecting unnecessary identifying information.
Companies must ensure that their digital services meet the dual objectives of safety and data minimisation.
The AEPD’s analysis highlights that any processing of personal data in this context requires a valid legal basis and must comply with the principles of data minimisation, purpose limitation, and privacy by design and default. It also affirms that organisations should carry out a Data Protection Impact Assessment (DPIA) when introducing or modifying age assurance mechanisms. The DPIA must demonstrate that new controls do not introduce disproportionate risks for minors or other users, including unnecessary intrusions into privacy or data collection that exceeds what is strictly necessary.
Businesses operating in Spain or targeting Spanish users should begin preparing now for the likely enactment of this law in 2025.
Though not yet in force, the government’s commitment to bringing the new legislation before Parliament after the summer recess signals that compliance obligations may soon follow. Organisations providing digital services, applications, or platforms used by or accessible to minors must assess whether their systems meet the expected requirements—particularly in terms of age assurance, parental controls, and content moderation. As these obligations will intersect with existing data protection requirements under the GDPR, businesses should engage with Data Protection Officers (DPOs) or legal advisors to ensure readiness for implementation.
