Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Spanish Guide on the Use of Cookies

Download: Consent Report Q2 2024

By Anas Baig | Reviewed By Maria Khan and Rohma Fatima Qayyum

Published November 10, 2020 / Updated October 25, 2024

The Spanish Data Protection Authority (AEPD) released an updated guidance on the use of cookies in May 2024. The guidance was updated to align it with the Opinion 8/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms issued by the European Data Protection Board (EDPB) in April 2024.

Some of the key takeaways from the guidance are set out below:

Users’ consent must be obtained for the use of cookies.
Users may convey their consent preferences through browser or other application settings where technically possible and effective.
Consent is not required for the use of cookies required for carrying out transmission of communication over an electronic communications network or those strictly necessary for the provision of a service expressly requested by the user.

For consent to be valid, it must be freely granted and informed.
The option to “continue browsing”, user click, scrolling, navigation, or any such similar behavior does not constitute valid forms of consent.
Consent is deemed to be valid only where the user has made a clear, affirmative and unequivocal action.
Consent must be given for each specific purpose to ensure granularity. It is recommended that a separate cookie should be used for each purpose.

The acceptance of the use of cookies must be separate from the acceptance of the terms and conditions of the use of the website or service or the privacy policy of the website.

Transparency Requirement

The information about cookies provided at the time of requesting the user’s consent must be sufficiently complete to allow users to understand its purpose and use.
Information provided to the users should include definition and generic purpose of cookies, the types of cookies used and their use, identification of who uses the cookies, and information on how to accept, deny or revoke the consent for the use of cookies.
The information must be provided to the users in a concise, transparent, and intelligible manner using clear and simple language.
When providing information about third parties that use cookies, in order to comply with the conciseness requirement, different mechanisms may be used, such as buttons that display more specific information or pop-up text that appears when passing the mouse pointer over it such that the users can easily access the information if they wish
The use of phrases that confuse or distort the clarity of the message should be avoided.
Users should be informed, at least on a generic basis, of the cookies excluded from consent and notice requirements.

Layered Information Format

One of the ways to obtain consent to the use of cookies is to provide information in layers, so that the user is able to go to the aspects of the statement or notice that interest them the most. Providing layered information also ensures that all information is available in a single place to be easily accessed if they wish to consult the statement in its entirety.

First Information Layer: containing essential information such as the identity of the website publisher, the purposes for which cookies will be used, information whether the cookies will be used only by the publisher or also by third parties, information on the type of data to be collected and used, the mode in which a user can accept, configure or reject to the use of cookies, and a clearly visible link taking the user to the second information layer or the cookie policy. This information should be provided to users before the installation of cookies in a format that is visible to users. The updated guide provides several valid examples of a first information layer.
Second Information Layer: containing detailed information as required under Article 13 of the GDPR, such as the definition and generic function of cookies, information about the type of cookies that are used and their purpose, identification of who uses the cookies, information on how to accept, deny or revoke consent to the use of cookies or how to delete third party cookies from browser or system, data retention periods and where appropriate, information on the data transfers to third countries and when profiling involves decision-making automated with legal effects for the user or significantly affect users. Similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences. The cookie policy should be easily and permanently accessible to users.

Accessibility and Visibility of Cookies

The information about cookies must be easily accessible. The accessibility and visibility can be enhanced in several ways:

by increasing the size of the link to the information or using a different font to distinguish that link from the normal text of the website;
by positioning the link in areas that capture the users’ attention or where an average user expects to find it;
by using descriptive and intuitive names for the link i.e., using “Cookie Policy” instead of a general expression like “Privacy Policy” to improve its accessibility and visibility; and
by using alternative methods that emphasize the significance of the informative hyperlink, such as employing framing or underlining for the link, triggering a notice when the mouse pointer hovers over the link, or incorporating a clickable image that motivates exploration for additional information.

The website publisher is obligated to provide users with information in its cookie policy regarding the procedures for withdrawing consent and deleting cookies.
The publishers must allow users to withdraw consent to the use of cookies at any time.
The method to withdraw cookies must be made as easy as the one used when obtaining consent.
A button to reject all cookies must be installed.
The 'reject all' button must be equally appealing, easily accessible, and prominently displayed, with a design that avoids potential misleading elements, such as difficult-to-read color contrasts, to ensure users are not led into unintentionally accepting cookies.

As a general rule, website publishers cannot make access to a service or its functionalities conditional on the user’s acceptance of the use of cookies. There may be certain cases where non-acceptance of the use of cookies prevents users’ further access to the website, totally or partially, provided that:

the user must be adequately informed about it andalternative access to the service must be offered to the users without requiring them to accept the cookies;
the services of both alternatives offered to the user must be genuinely equivalent; and
the alternatives must be offered by the publisher and not by any other entity, and this alternative does not necessarily have to be free of charge.

Furthermore, the guidance refers to EDPB’s Opinion 8/2024 that highlights the need to comply with the requirements of GDPR, in particular those related to valid consent, while assessing the specificity of each case. EDPB adds that, in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent under GDPR if they confront users only with a binary choice between consenting to processing of personal data for behavioral advertising purposes and paying a fee (‘consent or pay’ model).

The offering of (only) a paid alternative to the service which includes processing for behavioral advertising purposes should not be the default way forward for controllers. When developing the alternative to the version of the service with behavioral advertising, large online platforms should consider providing data subjects with an ‘equivalent alternative’ that does not entail the payment of a fee, without behavioral advertising, e.g. with a form of advertising involving the processing of less (or no) personal data. This option derives from the principle of data minimization, which obliges data controllers to ensure that only the data necessary for advertising activity will be processed. The offer of this free alternative is a particularly important factor when assessing whether the consent granted for behavioral advertising would be considered valid and no detriment has occurred to the interested party.

Personalization Cookies

Personalization cookies, designed to save information and tailor user experiences, are exempted from the need for consent only when it is the user who actively chooses specific conditions. For instance, if a user selects a language by clicking on a country flag, chooses a currency for a transaction, or customizes the font size or color, consent exemption applies. In such instances, the cookies' lifespan doesn't necessarily have to be limited to the session, thus facilitating users from the inconvenience of having to personalize their settings with each visit. However, if there is an intention to use these cookies for additional purposes like statistics or marketing, obtaining user consent remains a requirement.

Websites aimed at minors must use simple and clear language. In the case of children under 14 years of age, website publishers must make reasonable efforts to verify that consent for the processing of personal data is given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment. Additionally, the publisher must consider the risk associated with the use of cookies and implement the principle of data minimization.
The website publishers must take additional precautions when using data to personalize the user experience without creating a profile of the minor. In the absence of the corresponding risk analysis according to the specific circumstances of the case.Additional precautions should be taken to verify that the consent was given or authorized by the holder of parental authority or guardianship.
The system of the website publisher should detect incidents indicating inaccurate data entry, and in such cases, it should refrain from using cookies until the holder of parental authority or guardianship grants consent. This could include cases where future dates are specified, or the mentioned age of the parent/guardian is not reasonable. Website owners may employ reasonable verification methods, like questions or captchas, to ensure that parental consent is obtained rather than that of the minor.
If consent for cookie usage is sought during processes like registration, additional information about parents or guardians may be requested for verification, such as their name, email address, or a copy of identification documents. This approach aims to uphold the importance of securing clear and explicit parental consent, particularly when dealing with minors' data in online services.

The periodic renewal of consent at appropriate intervals is considered a best practice. The validity of consent provided by a user for the use of a certain cookie must not have a duration longer than 24 months. During this time, the selection made by the user must be preserved so that the user is not asked to provide consent every single time they visit the webpage in question unless the purpose of cookies is changed.

Liability

Website publishers and third parties managing the cookies can define their relationships through contractual arrangements. However, the administrative liability against non-compliance with the cookie consent requirements cannot be contractually transferred to the other party. Therefore, both website publishers and third parties acting as processors must fulfill their respective obligations.

How Securiti Can Help

Securiti’s Cookie Consent enables companies to build cookie consent banners in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management captures consent and automates revocation fulfillment.

Request a demo today to understand how Securiti can help you comply with the consent requirements of GDPR, the e-Privacy Directive, the AEPD’s guidance on the use of cookies, and a whole host of other global privacy laws and regulations with ease.

The cookie policy in Spain, like in other EU countries, is based on the EU ePrivacy Directive and the GDPR. It requires websites to obtain user consent before setting non-essential cookies, provide clear information about cookie usage, and allow users to manage their cookie preferences. Consent, in this case, is a GDPR-valid consent provided by a clear and affirmative action to the use of cookies and other trackers

The EU cookie policy requirements include obtaining user consent for non-essential cookies, providing clear and comprehensive information about cookies, allowing users to manage their preferences, and ensuring compliance with data protection regulations, particularly the GDPR.

The Spanish cookie guidelines align with EU regulations. They emphasize the need for websites to obtain valid user consent for cookies, provide information on the purpose of each cookie, and offer user-friendly mechanisms for managing cookie settings.

Fines for failure to comply may extend to €30,000 as per the Organic Law on Personal Data Protection and Digital Rights Guarantee (LOPD-GDD), with enforcement carried out by the Spanish Data Protection Agency (AEPD).

Transparency Requirement

Layered Information Format

Accessibility and Visibility of Cookies

Personalization Cookies

Liability

How Securiti Can Help

Frequently Asked Questions

Schedule Your
Personal Demo

Newsletter

Company

Resources

Terms

Get in touch

Spanish Guide on the Use of Cookies

Consent Requirement

Valid Consent

Separate Consent to the Use of Cookies

Transparency Requirement

Layered Information Format

Accessibility and Visibility of Cookies

Easy Withdrawal of Consent

Cookie Walls

Personalization Cookies

Consent of Minors

Renewal of Consent

Liability

How Securiti Can Help

Frequently Asked Questions

Schedule Your Personal Demo

Join Our Newsletter

Share

More Stories that May Interest You

Combine Consent and Customer 360 with Securiti + Snowflake

Cookie Banner: What is it & why you need one?

FTC Cracks Down on Unauthorized Disclosure of Health Information for Advertising: A Roundup of Recent Enforcement Actions

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

Schedule Your
Personal Demo

What's
New