Spain’s online safety framework is built on EU law, national audiovisual and child-protection legislation, and an increasingly active policy agenda focused on age assurance and youth wellbeing online. Spain has positioned itself as one of the more interventionist Member States on age checks, particularly for pornography and social media.
National legal framework and regulator
Spain regulates online content and platform safety primarily through its audiovisual and consumer protection regimes, supplemented by EU law.
The key national authority is the Comisión Nacional de los Mercados y la Competencia (CNMC), which supervises audiovisual media services and video-sharing platforms under Spanish law and EU-derived obligations.
Spain has transposed the Audio-visual Media Services Directive (AVMSD) into domestic law, imposing duties on video-sharing platforms to protect minors from harmful content, including pornography and extreme violence. These duties include the use of effective age verification or age assurance mechanisms where appropriate.
In parallel, Spain applies general child-protection and consumer law to online services where children may be exposed to harm, misleading practices, or unsuitable products.
GDPR and children’s data in Spain
Spain applies the EU General Data Protection Regulation (GDPR) directly.
Under Spanish law, the digital age of consent is 14, meaning that children under 14 cannot lawfully consent to the processing of their personal data without parental authorisation.
This has practical consequences for online services:
• Platforms relying on consent must know whether users are at least 14
• Services that do not know users’ ages cannot safely rely on consent
• Children’s data requires heightened protection and risk assessment
The Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), has been particularly active in enforcement relating to children’s data, profiling, and online harms.
Digital Services Act (DSA) and Spain’s role
The EU Digital Services Act (DSA) applies directly in Spain and introduces harmonised obligations for online platforms, especially those likely to be accessed by minors.
Under Article 28 DSA, platforms must take appropriate and proportionate measures to protect children, including limiting exposure to harmful content and addressing design features that may cause harm.
Spain has designated a national authority to act as Digital Services Coordinator, working alongside sector regulators and the AEPD to enforce DSA obligations.
In practice, this means that platforms established in Spain, or targeting Spanish users, may face scrutiny for:
• Failure to protect minors
• Ineffective age assurance measures
• Risky recommender systems or engagement-driven design
Pornography and age verification
Spain has been at the forefront of EU discussions on mandatory age verification for access to online pornography.
The Spanish government has publicly committed to requiring robust age verification for adult content websites accessible in Spain, driven by concerns about early exposure to pornography and child development.
As part of this effort, Spain has announced and begun piloting a government-backed digital age verification solution, commonly referred to as a national age-verification wallet, designed to allow users to prove they are over 18 without disclosing their identity to content providers.
This initiative is widely viewed as a precursor to broader age-assurance requirements across other online services.
Social media, minimum age, and digital ID proposals
Spain has also been vocal at EU level in calling for stronger controls on children’s access to social media.
Recent policy announcements include:
• Proposals to introduce a minimum age of 16 for access to certain social media services
• Exploration of identity-linked or wallet-based age verification for platforms
• Calls for EU-wide alignment to avoid fragmentation and regulatory arbitrage
While these proposals are not yet fully enacted into binding law, they signal a clear policy direction toward mandatory, reliable age assurance, moving beyond self-declaration.
Spain has explicitly argued that platform terms and parental controls alone are insufficient to protect children.
Interaction between national and EU law
Spain’s approach is shaped by the interaction of:
• National audiovisual and child-protection law
• GDPR rules on children’s data and consent
• The DSA’s EU-wide platform safety duties
Spanish regulators increasingly treat age assurance as a cross-cutting compliance requirement, relevant to data protection, content regulation, and consumer protection alike.