Legal notice and analysis of the Customer Service Act
This legal memorandum is intended to provide a practical legal analysis of Law 10/2025, of 26 December, regulating customer service activities (the “Customer Service Act” or the “CSA”), highlighting its implications for companies subject to its provisions and offering useful legal criteria for adapting their customer service processes.
Legal analysis
For the first time in Spain, the CSA introduces a specific and mandatory regulatory framework governing how companies must provide customer service, establishing clear standards regarding response times, access to human assistance, transparency, accessibility, and traceability of interactions, as well as mechanisms to ensure the efficient resolution of queries, incidents, and complaints. Its purpose is to strengthen consumer protection, enhance market confidence, and prevent practices that may generate legal or reputational risks for companies.
In particular, the CSA has popularly been referred to as the ‘Three-Minute Law‘, as it requires that customer service calls be answered within an average maximum waiting time of three minutes. This requirement represents only one of several mandatory compliance obligations that companies must consider in order to mitigate legal risks and optimize customer experience.
The effective entry into force is accompanied by a transitional period until 28 December 2026, providing a limited window for companies to adapt their processes, systems, and contractual arrangements under a preventive and strategic approach.
Preliminary considerations
The CSA constitutes the first piece of legislation establishing specific and detailed obligations regarding the proper provision of customer service, moving beyond prior sector-specific approaches and consolidating minimum standards applicable to all affected operators.
The CSA pursues two core objectives:
- Effective consumer protection: safeguarding users and consumers against practices that commonly generate frustration, such as excessive waiting times, exclusively automated customer service systems, unsolicited commercial calls (spam), hidden charges, and false online reviews.
- Standardization of customer service quality: imposing clear metrics and performance obligations for customer service operations, ensuring that consumer experience translates into legal compliance and reduced reputational risk.
The nickname ‘Three-Minute Law’ stems from one of its most emblematic provisions: companies must ensure that 95% of customer service calls are answered within an average maximum waiting time of three minutes, without the possibility of terminating calls on the grounds of excessive waiting time. This requirement constitutes an obligation of result rather than a mere best-efforts standard, meaning that the allocation of human and technological resources must be strategically structured to ensure compliance.
The CSA introduces both result-based and organizational obligations directly affecting:
- Omnichannel service models.
- IVR systems and automation architectures.
- Complaint management systems.
- Outsourced call centers.
- Interaction logging and traceability systems.
- Commercial policies related to after-sales services.
These are not quality recommendations, but legally enforceable standards whose compliance may be subject to verification in the context of inspections carried out by the competent consumer protection authorities.
Obligated entities and scope of application
In general terms, the CSA applies to:
- Private and public entities providing customer service.
- Companies serving consumers and users with more than 250 employees or annual turnover exceeding €50 million.
- Providers of essential services, including energy, water, gas, telecommunications, transport, financial, and postal services.
Although SMEs are initially excluded, the Act’s impact extends to subcontracting chains, digital service providers, and technology platforms involved in customer service activities of obligated entities. This scenario necessitates a review of agreements with outsourced call centers, CRM providers, automation service providers, and artificial intelligence system suppliers, as ultimate liability vis-à-vis consumers and public authorities remains with the principal operator.
Minimum service quality standards
Among the minimum enforceable standards, customer service must be:
- Free of charge for users.
- Effective and measurable through clear performance indicators.
- Universally accessible, including to persons with disabilities or language barriers.
- Verifiable, through records and documentation capable of demonstrating compliance during inspections or disputes.
Particular importance is placed on the obligation to ensure that 95% of calls are answered within the average maximum period of three minutes. The key legal aspect is not merely achieving the metric, but being able to document and evidence compliance.
From a practical standpoint, companies must implement internal monitoring protocols, periodic reporting, and audits to ensure alignment with these obligations, transforming regulatory requirements into competitive service advantages.
Specific consumer rights and practical implications
The CSA guarantees specific consumer rights with direct legal implications for companies:
1. Right to human assistance
Customer service may not be exclusively automated through bots or AI systems. Users are entitled to request assistance from a qualified human representative.
Companies should implement tiered escalation systems allowing prompt human intervention, particularly in complex or sensitive cases, and review IVR and chatbot architectures to avoid artificial delays in transfer.
2. Maximum resolution deadlines
Complaints and incidents must be resolved within fifteen (15) business days.
Shorter deadlines apply in specific cases:
- Undue charges: five (5) business days.
- Essential service interruptions: two (2) hours regarding status updates and restoration forecasts.
Clear internal SLAs, tracking systems, and automated alerts are advisable, as failure to comply may constitute an administrative infringement.
3. Prohibition of abusive practices
Unsolicited commercial calls are expressly prohibited, and companies must identify themselves through specific codes.
Commercial campaigns and databases must be audited to ensure lawful consent and traceability.
4. Price transparency
Hidden charges or surcharges are prohibited; advertised prices must match the final payable amount.
Internal billing standards, customer portals, and contractual documentation must be reviewed accordingly.
5. Online reviews and advertising
Reviews must be issued by genuine users within the previous 30 days, subject to verification mechanisms and removal procedures for false reviews.
Proactive verification and moderation systems are recommended.
6. Accessibility and non-discrimination
Customer service must be adapted for vulnerable persons, including individuals with hearing impairments or language barriers.
Investment in staff training, assistive technologies, and inclusive protocols is advisable.
7. Documentary evidence
Companies must provide acknowledgment of receipt and content of communications, including date and time stamps, and allow access to call recordings where applicable.
Robust logging and secure storage systems should be implemented to serve as evidentiary support in inspections or claims.
Additional key measures: legal implications and strategic opportunities
The CSA requires the design of integrated internal processes combining service provision, traceability, performance metrics and risk management.
Proactive companies that continuously improve these processes may convert regulatory compliance into a competitive advantage by increasing customer satisfaction, reducing disputes and litigation, and optimizing commercial operations.
Opportunities arise for legal advisory services in:
- Redesigning internal processes.
- Conducting periodic audits.
- Reviewing service provider contracts.
- Establishing preventive compliance protocols.
Sanctioning regime and legal impact
Non-compliance with the CSA constitutes an administrative infringement in consumer protection matters. Sanctions may include significant financial penalties, with increased severity in cases of repeated breaches or harm to vulnerable consumers.
Companies will be subject to periodic external audits certifying compliance, requiring integration of regulatory compliance into corporate governance and risk management frameworks.
Recommended strategy and practical guidance
From a risk management perspective, adaptation to the CSA cannot be limited to isolated operational adjustments. Each affected operator should begin with a comprehensive internal assessment covering service channels, response times, traceability mechanisms, and accessibility standards.
This diagnosis will enable the definition of legal compliance KPIs, such as response times, resolution rates, and percentage of human-assisted interactions.
Subsequently, internal protocols and mandatory record-keeping systems should be designed and implemented to evidence compliance during inspections and audits.
Periodic external audits should review service provider agreements, subcontracting structures, and digital platforms to ensure full compliance.
Staff training in consumer rights and internal protocols is essential to ensure efficient, compliant incident resolution.
Commercial and communication strategies must be continuously reviewed to ensure transparency and prevent abusive practices.
Through this approach, mandatory compliance with the CSA may be transformed into a strategic advantage, enhancing customer satisfaction, corporate reputation, and operational efficiency.
Summary of the Customer Service Act
The so-called ‘Three-Minute Law‘ represents a structural shift in how companies must conceive customer service: from a purely reputational element to a source of administrative liability exposure.
The transitional period until December 2026 should not be regarded as a period of inaction, but as a strategic opportunity to:
- Redesign internal processes.
- Strengthen corporate governance.
- Integrate compliance into daily operations.
- Reduce exposure to sanctions.
At LetsLaw, S.L., we assist organizations in conducting specific legal audits concerning customer service operations, designing tailored adaptation plans that integrate regulatory analysis, contractual review and operational alignment. Check out our legal services in Spain.
Candela Martín es abogada especialista en derecho digital, propiedad intelectual y protección de datos.
Graduada en Derecho por la Universidad de Granada, completó un doble máster en acceso a la abogacía y derecho digital en la Universidad de Navarra. Su práctica se centra en privacidad, comercio electrónico y contratación, con una visión proactiva y resolutiva en el asesoramiento a empresas del entorno tecnológico.
More from my site
According to the CJEU, the gender identity of the customer is not a necessary piece of information for the purchase of a transport ticket
First fines of over 40,000€ by the AEPD for exploiting customer data through business Wi-Fi
The AEPD sanctions Endesa for exposing data of more than 4.8 million customers
Key points of the customer services project of law
Legaltech to offer more efficient legal services 
Does taking the temperature of customers constitute the processing of personal data?