Securiti Tops DSPM Ratings in GigaOm Report


Spanish Guide on the Use of Cookies

By Anas Baig | Reviewed By Maria Khan
Published November 10, 2020 / Updated May 10, 2024

Listen to the content

The Spanish Data Protection Authority (AEPD) released an updated guidance on the use of cookies in July 2023. The guidance was updated to align it with the Guidelines 03/2022 on deceptive design patterns issued by the European Data Protection Board (EDPB) in February 2023.

Some of the key takeaways from the guidance are set out below:

  • User’s consent must be obtained for the use of cookies.
  • Users may convey their consent preferences through browser or other application settings where technically possible and effective.
  • Consent is not required for the use of cookies required for carrying out transmission of communication over an electronic communications network or those strictly necessary for the provision of a service expressly requested by the user.
  • For consent to be valid, it must be freely granted and informed.
  • The option to “continue browsing”, user click, scrolling, navigation, or any such similar behavior does not constitute valid forms of consent.
  • Consent is deemed to be valid only where the user has made a clear affirmative and unequivocal action.
  • Consent must be given for each specific purpose to ensure granularity. It is recommended that a separate cookie should be used for each purpose.
  • The acceptance of the use of cookies must be separate from the acceptance of the terms and conditions of the use of the website or service or the privacy policy of the website.

Transparency Requirement

  • The information about cookies provided at the time of requesting the user’s consent must be sufficiently complete to allow users to understand its purpose and use.
  • The information must be provided in a concise, transparent, and intelligible manner using clear and simple language.
  • When providing information about third parties that use cookies, in order to comply with the conciseness requirement, different mechanisms may be used, such as buttons that display this information or pop-up text that appears when passing the mouse pointer over it.
  • The use of phrases that confuse or distort the clarity of the message should be avoided.
  • Users should be informed, at least on a generic basis, of the cookies excluded from consent and notice requirements.

Layered Information Format

One of the ways to obtain consent to the use of cookies is to provide layered information.

  • First Information Layer: containing essential information such as the identity of the website publisher, the purposes for which cookies will be used, information whether the cookies will be used only by the publisher or also by third parties, information on the type of data to be collected and used, the mode in which a user can accept, configure or reject to the use of cookies, and a clearly visible link taking the user to the second information layer or the cookie policy. This information should be provided to users before the installation of cookies in a format that is visible to users. The updated guide provides several valid examples of a first information layer.
  • Second Information Layer: containing detailed information as required under Article 13 of the GDPR, such as the definition and generic function of cookies, information about the type of cookies that are used and their purpose, identification of who uses the cookies, information on how to accept, deny or revoke consent to the use of cookies or how to delete third party cookies from browser or system, data retention periods and where appropriate, information on the data transfers to third countries and when profiling involves decision-making automated with legal effects for the user or significantly affect users similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences. The cookie policy should be easily and permanently accessible to users.

Accessibility and Visibility of Cookies

The information about cookies must be easily accessible. The accessibility and visibility can be enhanced in several ways:

  • by increasing the size of the link to the information or using a different font to distinguish that link from the normal text of the website;
  • by positioning the link in areas that capture the users’ attention or where an average user expects to find it;
  • by using descriptive and intuitive names for the link i.e., using “Cookie Policy” instead of a general expression like “Privacy Policy” improves its accessibility and visibility; and
  • by using alternative methods that emphasize the significance of the informative hyperlink, such as employing framing or underlining for the link, triggering a notice when the mouse pointer hovers over the link, or incorporating a clickable image that motivates exploration for additional information.
  • The website publisher is obligated to provide users with information in its cookie policy regarding the procedures for withdrawing consent and deleting cookies.
  • The publishers must allow users to withdraw consent to the use of cookies at any time.
  • The method to withdraw cookies must be made as easy as obtaining consent.
  • A button to reject all cookies must be installed.
  • The 'reject all' button must be equally appealing, easily accessible, and prominently displayed, with a design that avoids potential misleading elements, such as difficult-to-read color contrasts, to ensure users are not led into unintentionally accepting cookies.

As a general rule, website publishers cannot make access to a service or its functionalities conditional on the user’s acceptance of the use of cookies. Where non-acceptance to the use of cookies prevents access to the website, totally or partially,

  • the user must be properly informed about it;
  • alternative access to the service must be offered to the user without requiring them to accept the cookies;
  • the services of both alternatives offered to the user must be genuinely equivalent; and
  • the alternatives must be offered by the publisher and not by any other entity, and this alternative does not necessarily have to be free of charge.

However, unlike other EU data protection authorities, the AEPD does not specify additional specifications or constraints, for example, ensuring the reasonableness and fairness of the price for the payment alternative and prohibiting the use of this mechanism by public authorities.

Personalization Cookies

Personalization cookies, designed to save information and tailor user experiences, are exempted from the need for consent only when it is the user who actively chooses specific conditions. For instance, if a user selects a language by clicking on a country flag, chooses a currency for a transaction, or customizes the font size or color, consent exemption applies. In such instances, the cookies' lifespan doesn't necessarily have to be limited to the session, thus facilitating users from the inconvenience of having to personalize their settings with each visit. However, if there is an intention to use these cookies for additional purposes like statistics or marketing, obtaining user consent remains a requirement.

  • Websites aimed at minors must use simple and clear language. In the case of children under 14 years of age, website publishers must make reasonable efforts to verify that consent for the processing of personal data is given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment. Additionally, the publisher must consider the risk associated with the use of cookies and implement the principle of data minimization.
  • The website publishers must take additional precautions when using data to personalize the user experience without creating a profile of the minor. In the absence of the corresponding risk analysis according to the specific circumstances of the case, additional precautions should be taken to verify that the consent was given or authorized by the holder of parental authority or guardianship.
  • The system of the website publisher should detect incidents indicating inaccurate data entry, and in such cases, it should refrain from using cookies until the holder of parental authority or guardianship grants consent. This could include cases where future dates are specified, or the mentioned age of the parent/guardian is not reasonable. Website owners may employ reasonable verification methods, like questions or captchas, to ensure that parental consent is obtained rather than that of the minor.
  • If consent for cookie usage is sought during processes like registration, additional information about parents or guardians may be requested for verification, such as their name, email address, or a copy of identification documents. This approach aims to uphold the importance of securing clear and explicit parental consent, particularly when dealing with minors' data in online services.

The periodic renewal of consent at appropriate intervals is considered a best practice. The validity of consent provided by a user for the use of a certain cookie must not have a duration longer than 24 months. During this time, the selection made by the user must be preserved so that the user is not asked to provide consent every single time they visit the webpage in question unless the purpose of cookies is changed.


Website publishers and third parties managing the cookies can define their relationships through contractual arrangements. However, the administrative liability against non-compliance with the cookie consent requirements cannot be contractually transferred to the other party. Therefore, both website publishers and third parties acting as processors must fulfill their respective obligations.

How Securiti Can Help

Securiti’s Cookie Consent enables companies to build cookie consent banners in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management captures consent and automates revocation fulfillment.

Request for a demo today to understand how Securiti can help you comply with the consent requirements of GDPR, e-Privacy Directive, the AEPD’s guidance on the use of cookies, and a whole host of other global privacy laws and regulations with ease.

Frequently Asked Questions

The cookie policy in Spain, like in other EU countries, is based on the EU ePrivacy Directive and the GDPR. It requires websites to obtain user consent before setting non-essential cookies, provide clear information about cookie usage, and allow users to manage their cookie preferences. Consent, in this case, is a GDPR-valid consent provided by a clear and affirmative action to the use of cookies and other trackers

The EU cookie policy requirements include obtaining user consent for non-essential cookies, providing clear and comprehensive information about cookies, allowing users to manage their preferences, and ensuring compliance with data protection regulations, particularly the GDPR.

The Spanish cookie guidelines align with EU regulations. They emphasize the need for websites to obtain valid user consent for cookies, provide information on the purpose of each cookie, and offer user-friendly mechanisms for managing cookie settings.

Fines for failure to comply may extend to €30,000 as per the Organic Law on Personal Data Protection and Digital Rights Guarantee (LOPD-GDD), with enforcement carried out by the Spanish Data Protection Agency (AEPD).

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.


Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You