Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Spanish Guide on the Use of Cookies

By Anas Baig | Reviewed By Maria Khan

Published November 10, 2020 / Updated January 8, 2024

The Spanish Data Protection Authority (AEPD) released an updated guidance on the use of cookies in July 2023. The guidance was updated to align it with the Guidelines 03/2022 on deceptive design patterns issued by the European Data Protection Board (EDPB) in February 2023.

Some of the key takeaways from the guidance are set out below:

User’s consent must be obtained for the use of cookies.
Users may convey their consent preferences through browser or other application settings where technically possible and effective.
Consent is not required for the use of cookies required for carrying out transmission of communication over an electronic communications network or those strictly necessary for the provision of a service expressly requested by the user.

For consent to be valid, it must be freely granted and informed.
The option to “continue browsing”, user click, scrolling, navigation, or any such similar behavior does not constitute valid forms of consent.
Consent is deemed to be valid only where the user has made a clear affirmative and unequivocal action.
Consent must be given for each specific purpose to ensure granularity. It is recommended that a separate cookie should be used for each purpose.

The acceptance of the use of cookies must be separate from the acceptance of the terms and conditions of the use of the website or service or the privacy policy of the website.

Transparency Requirement

The information about cookies provided at the time of requesting the user’s consent must be sufficiently complete to allow users to understand its purpose and use.
The information must be provided in a concise, transparent, and intelligible manner using clear and simple language.
When providing information about third parties that use cookies, in order to comply with the conciseness requirement, different mechanisms may be used, such as buttons that display this information or pop-up text that appears when passing the mouse pointer over it.
The use of phrases that confuse or distort the clarity of the message should be avoided.
Users should be informed, at least on a generic basis, of the cookies excluded from consent and notice requirements.

Layered Information Format

One of the ways to obtain consent to the use of cookies is to provide layered information.

First Information Layer: containing essential information such as the identity of the website publisher, the purposes for which cookies will be used, information whether the cookies will be used only by the publisher or also by third parties, information on the type of data to be collected and used, the mode in which a user can accept, configure or reject to the use of cookies, and a clearly visible link taking the user to the second information layer or the cookie policy. This information should be provided to users before the installation of cookies in a format that is visible to users. The updated guide provides several valid examples of a first information layer.
Second Information Layer: containing detailed information as required under Article 13 of the GDPR, such as the definition and generic function of cookies, information about the type of cookies that are used and their purpose, identification of who uses the cookies, information on how to accept, deny or revoke consent to the use of cookies or how to delete third party cookies from browser or system, data retention periods and where appropriate, information on the data transfers to third countries and when profiling involves decision-making automated with legal effects for the user or significantly affect users similarly, it will be necessary to inform the user on the logic used as well as the significance and expected consequences. The cookie policy should be easily and permanently accessible to users.

Accessibility and Visibility of Cookies

The information about cookies must be easily accessible. The accessibility and visibility can be enhanced in several ways:

by increasing the size of the link to the information or using a different font to distinguish that link from the normal text of the website;
by positioning the link in areas that capture the users’ attention or where an average user expects to find it;
by using descriptive and intuitive names for the link i.e., using “Cookie Policy” instead of a general expression like “Privacy Policy” improves its accessibility and visibility; and
by using alternative methods that emphasize the significance of the informative hyperlink, such as employing framing or underlining for the link, triggering a notice when the mouse pointer hovers over the link, or incorporating a clickable image that motivates exploration for additional information.

The website publisher is obligated to provide users with information in its cookie policy regarding the procedures for withdrawing consent and deleting cookies.
The publishers must allow users to withdraw consent to the use of cookies at any time.
The method to withdraw cookies must be made as easy as obtaining consent.
A button to reject all cookies must be installed.
The 'reject all' button must be equally appealing, easily accessible, and prominently displayed, with a design that avoids potential misleading elements, such as difficult-to-read color contrasts, to ensure users are not led into unintentionally accepting cookies.

As a general rule, website publishers cannot make access to a service or its functionalities conditional on the user’s acceptance of the use of cookies. Where non-acceptance to the use of cookies prevents access to the website, totally or partially,

the user must be properly informed about it;
alternative access to the service must be offered to the user without requiring them to accept the cookies;
the services of both alternatives offered to the user must be genuinely equivalent; and
the alternatives must be offered by the publisher and not by any other entity, and this alternative does not necessarily have to be free of charge.

However, unlike other EU data protection authorities, the AEPD does not specify additional specifications or constraints, for example, ensuring the reasonableness and fairness of the price for the payment alternative and prohibiting the use of this mechanism by public authorities.

Personalization Cookies

Personalization cookies, designed to save information and tailor user experiences, are exempted from the need for consent only when it is the user who actively chooses specific conditions. For instance, if a user selects a language by clicking on a country flag, chooses a currency for a transaction, or customizes the font size or color, consent exemption applies. In such instances, the cookies' lifespan doesn't necessarily have to be limited to the session, thus facilitating users from the inconvenience of having to personalize their settings with each visit. However, if there is an intention to use these cookies for additional purposes like statistics or marketing, obtaining user consent remains a requirement.

Websites aimed at minors must use simple and clear language. In the case of children under 14 years of age, website publishers must make reasonable efforts to verify that consent for the processing of personal data is given by the holder of parental authority or guardianship, taking into account the available technology and the circumstances of the treatment. Additionally, the publisher must consider the risk associated with the use of cookies and implement the principle of data minimization.
The website publishers must take additional precautions when using data to personalize the user experience without creating a profile of the minor. In the absence of the corresponding risk analysis according to the specific circumstances of the case, additional precautions should be taken to verify that the consent was given or authorized by the holder of parental authority or guardianship.
The system of the website publisher should detect incidents indicating inaccurate data entry, and in such cases, it should refrain from using cookies until the holder of parental authority or guardianship grants consent. This could include cases where future dates are specified, or the mentioned age of the parent/guardian is not reasonable. Website owners may employ reasonable verification methods, like questions or captchas, to ensure that parental consent is obtained rather than that of the minor.
If consent for cookie usage is sought during processes like registration, additional information about parents or guardians may be requested for verification, such as their name, email address, or a copy of identification documents. This approach aims to uphold the importance of securing clear and explicit parental consent, particularly when dealing with minors' data in online services.

The periodic renewal of consent at appropriate intervals is considered a best practice. The validity of consent provided by a user for the use of a certain cookie must not have a duration longer than 24 months. During this time, the selection made by the user must be preserved so that the user is not asked to provide consent every single time they visit the webpage in question unless the purpose of cookies is changed.

Liability

Website publishers and third parties managing the cookies can define their relationships through contractual arrangements. However, the administrative liability against non-compliance with the cookie consent requirements cannot be contractually transferred to the other party. Therefore, both website publishers and third parties acting as processors must fulfill their respective obligations.

How Securiti Can Help

Securiti’s Cookie Consent enables companies to build cookie consent banners in accordance with the applicable legal requirements with cookie auto-blocking, periodic scanning, and preference center features. Securiti’s Universal Consent Management captures consent and automates revocation fulfillment.

Request for a demo today to understand how Securiti can help you comply with the consent requirements of GDPR, e-Privacy Directive, the AEPD’s guidance on the use of cookies, and a whole host of other global privacy laws and regulations with ease.

The cookie policy in Spain, like in other EU countries, is based on the EU ePrivacy Directive and the GDPR. It requires websites to obtain user consent before setting non-essential cookies, provide clear information about cookie usage, and allow users to manage their cookie preferences. Consent, in this case, is a GDPR-valid consent provided by a clear and affirmative action to the use of cookies and other trackers

The EU cookie policy requirements include obtaining user consent for non-essential cookies, providing clear and comprehensive information about cookies, allowing users to manage their preferences, and ensuring compliance with data protection regulations, particularly the GDPR.

The Spanish cookie guidelines align with EU regulations. They emphasize the need for websites to obtain valid user consent for cookies, provide information on the purpose of each cookie, and offer user-friendly mechanisms for managing cookie settings.

Fines for failure to comply may extend to €30,000 as per the Organic Law on Personal Data Protection and Digital Rights Guarantee (LOPD-GDD), with enforcement carried out by the Spanish Data Protection Agency (AEPD).

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.

Take a Tour

First Name

Last Name

Role

Platform Location

Language Preference

Yes, I consent to receive email updates about Securiti.ai products, services, and offers. I understand that I can unsubscribe at any time. By submitting your information, you agree to the terms outlined in our privacy policy.

Note: Your credit card will be charged at the end of the 30 day free trial period and your subscription will be automatically renewed monthly/yearly. You can cancel your subscription at any time

Transparency Requirement

Layered Information Format

Accessibility and Visibility of Cookies

Personalization Cookies

Liability

How Securiti Can Help

Frequently Asked Questions

Privacy Center
Fully Functional In Minutes

Newsletter

Company

Resources

Terms

Get in touch

Spanish Guide on the Use of Cookies

Consent Requirement

Valid Consent

Separate Consent to the Use of Cookies

Transparency Requirement

Layered Information Format

Accessibility and Visibility of Cookies

Easy Withdrawal of Consent

Cookie Walls

Personalization Cookies

Consent of Minors

Renewal of Consent

Liability

How Securiti Can Help

Frequently Asked Questions

Privacy Center Fully Functional In Minutes

Get Started

Email already in use

Unexpected error occurred

Join Our Newsletter

Share

More Stories that May Interest You

Cookie Banner: What is it & why you need one?

FTC Cracks Down on Unauthorized Disclosure of Health Information for Advertising: A Roundup of Recent Enforcement Actions

Consent Requirements in the Czech Republic for the Use of Cookies and Similar Technologies

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

Privacy Center
Fully Functional In Minutes

What's
New