Understanding Spanish cookie laws: A comprehensive guide

The ePrivacy Directive, GDPR and cookies in Spain

Cookies are small text files stored on a user’s browser when visiting websites. They track users’ online behavior, remember user preferences, and enable certain website functionalities. Despite their utility, these tracking cookies raise privacy concerns because they can collect, process and share a wide array of personal and potentially sensitive data.

Spanish cookie regulations form part of a legislative framework designed to protect the personal data and privacy of Spanish residents online. These regulations are shaped by the European Union’s ePrivacy Directive (known as the ”cookie law”) and the General Data Protection Regulation (GDPR), both of which have been integrated into Spanish law.

The key laws governing cookies in Spain are:

• The Organic Law 3/2018, known as the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD), which adapts Spanish law to the GDPR and includes specific provisions for protecting personal data. While LOPDGDD does not focus solely on cookies, it encompasses the handling of personal data, which can include data obtained through cookies.
• Law 34/2002 or the Law of Information Society Services and Electronic Commerce (LSSI) implements the ePrivacy Directive and specifically targets issues related to cookies.

Together, LOPDGDD and LSSI cover various aspects of digital rights and data protection. This approach is designed to respect individual privacy and to ensure that entities using cookies do so responsibly, upholding transparency and accountability.

Compliance with data privacy laws in Spain falls under the purview of the AEPD.

Who do the Spanish cookie laws apply to?

Cookie laws in Spain cover a broad range of digital platforms and entities. These laws primarily apply to:

• Websites and mobile apps that are directed at Spanish users or process data from individuals in Spain.
• Platforms, regardless of where they’re located, that offer goods or services to Spanish residents or monitor their behavior within the Spanish territory.

As Spanish cookie laws are designed to protect the privacy of individuals in Spain, any website or online service that interacts with this audience should ensure they are following these regulations.

Cookie consent in Spain

What is valid consent?

The Spanish cookie law emphasizes that the use of non-exempt cookies requires user consent. Article 6 of the LOPDGDD aligns the definition of consent with its definition under the GDPR. Under the GDPR, cookie consent must be free, specific, informed and explicit.

Explicit cookie consent is typically obtained through a clear, affirmative action like clicking a button labeled “I consent,” “I accept,” or using a similar term.

Certain actions do not constitute consent under Spanish cookie law or the GDPR.

• Any form of implied consent, like continuing to use a site without actively accepting or rejecting cookies, is not considered valid.
• Simply not taking an action cannot be interpreted as giving consent.
• Pre-checked boxes or default opt-ins do not constitute a clear affirmative action of consent as they imply consent by default, which is not allowed.
• Consent obtained through cookie walls, where users are forced to accept cookies to access the website, is not considered freely given under the GDPR.

When a cookie serves two or more different purposes but a user only consents to one purpose, the cookie must only operate for the purpose agreed to.

The law specifies that individuals must be at least 14 years old to give valid consent. For users younger than 14 years, consent must be obtained from their parents or legal guardians.

What cookies are exempt from requiring obtaining explicit consent?

Article 22.2 of the LSSI outlines certain situations where websites and/or apps don’t need to obtain explicit consent from users to use cookies. There are two main types of cookies that fall under this exemption:

• For communication: These are cookies that are strictly necessary to enable the basic function of connecting the user’s computer to the network. For example, when you visit a website, these cookies help establish the connection between your computer and the website’s server so that the website can be loaded and displayed on your device. They are essential for the basic operation of the website.
• For requested services: These are cookies used specifically to provide a service that a user has explicitly requested. For instance, if you’re shopping online and you add items to your cart, cookies are used to remember what you’ve added. These cookies ensure that your shopping cart remains updated with your selected items as you continue to browse the site. They’re necessary for specific functionalities that you, as the user, want to use.

In both cases, these cookies are considered essential for the basic functioning of the website or for delivering a service the user has directly asked for. Therefore, websites can use these types of cookies without needing to ask for permission every time.

Other examples of exempt cookies are personalization cookies that remember preferences such as language or font size settings, user identification or authentication cookies that help in maintaining the user’s session securely without requiring re-login on every page, and session cookies that manage server load to ensure that the user’s website experience is consistent and uninterrupted.

New guidelines about cookie use for audience measurement tools

New requirements were enacted in Spain in January 2024, which apply to operators of websites or mobile applications that set cookies for audience measurement.

Under the new guidelines, cookies that are used to obtain traffic or performance statistics may be exempt from consent requirements under the following specific conditions.

• Data collected is limited to only that which is strictly necessary for provision of the service.
• Processing must be carried out exclusively on behalf of the publisher.
• Processing can only be used to produce anonymous statistical data.
• Use of these cookies or similar technologies must not result in data being matched with other processing operations.
• Data collected by these cookies or similar technologies must not be transmitted to third parties.
• Use of these cookies or similar technologies must not allow aggregate tracking of a user’s navigation while browsing different websites or using other applications.

Requirements of audience measurement service providers

A vendor that provides a comparative audience measurement service to multiple publishers must provide objective assurances to those publishers that:

• data is collected, processed and stored independently for each publisher; and
• the cookies or similar technologies used are completely independent of each other and of any other cookies or similar technologies

When a publisher uses an audience measurement service provider, the following warranties and requirements must also be in place.

1. A contract with the provider that meets the requirements of Art. 28 GDPR:
   1. obligation not to reuse the data collected in any case, within the framework of the contract
   2. restriction of the processing of the data to the purposes set forth above as strictly necessary
   3. compliance with the safeguards established in the case of serving multiple publishers
   4. any transfer of data outside the European Union meets the conditions of compliance set out in the GDPR
2. Perform and document an assessment, by the publisher or by an independent third party, of whether it is possible to configure, and are configured, the tools provided by the supplier to ensure compliance with the requirements listed above.

Accepted strictly necessary conditions for website administration 

Per the first condition, the AEPD considers only the following measures as strictly necessary for the proper administration of a website:

• page by page audience measurement
• the list of pages from which a link has been followed to request the current page (referrer), whether internal or external to the site, per page and aggregated daily
• determination of visitors’ device type, browser, screen size, per page and aggregated daily
• page load time statistics, per page and aggregated hourly
• statistics on time spent per page, bounce rate, scroll depth, per page and aggregated daily
• statistics on user actions (clicks, selections), per page and aggregated daily
• statistics on the geographical area of origin of the requests, per page and aggregated daily

Data collection and processing beyond the types and purposes listed above must have the advance consent of the data subject (user, customer, player, visitor) to be considered lawful.

User notification requirements for use of audience measurement cookies

• Users must be informed about the use of these cookies or similar technologies for these purposes, even if they qualify as exempt from requiring user consent for use. This information is commonly provided in a website or app’s privacy policy.
• Duration or lifetime of these cookies or similar technologies must be limited to a period that allows meaningful comparison of audiences over time, e.g. a duration of 13 months. This duration will not be automatically extended on new visits.
• The information collected by these cookies or similar technologies can be retained for a maximum period of 25 months.
• The duration/lifetime and retention periods will be subject to periodic review to limit it to what is strictly necessary.

Can users withdraw consent previously given?

Like the GDPR, Spanish cookie law requires that users should be able to withdraw their consent at any time. This gives users control over their personal data even if they initially consent to cookie use. 

Websites must provide clear instructions on how users can withdraw their consent and remove cookies already stored on their devices. The process for opting out must be just as accessible and straightforward as the process by which users gave their consent.

How can users refuse consent?

The law mandates that the option to refuse cookies must be presented alongside the option to accept them, ensuring equal visibility and accessibility.

This means that the mechanisms for both accepting and rejecting cookies, such as buttons or links, should be similarly designed and located on the same page or user interface level of the cookie consent banner.

The objective is to facilitate an unbiased choice without complicating the process of refusal.

Cookie consent banner requirements in Spain

First layer of the consent banner

Under Spanish law, the first layer of a cookie consent banner must provide users with essential information upon accessing a website or app. This layer should:

• Clearly display the name of the publisher of the website.
• Inform users about the specific purposes for using cookies, such as user experience enhancement, analytics, or advertising.
• Specify whether the cookies used are first-party or third-party cookies.
• Describe the types of cookies being used (e.g., functional, analytical, or advertising cookies) and the nature of data they collect and process.
• Offer clearly labeled options to accept, configure, or reject the use of cookies.
• Provide a link to a second layer of information that offers more detailed insights about cookie usage, privacy implications, and data handling practices.

Second layer of the consent banner

The second layer of information on a cookie banner must display more detailed and specific information about the cookies being used.

A key element of this layer is a control panel or settings panel, which gives users more granular control over their cookie preferences. This can be achieved in the following ways:

• Grouping by purpose: This categorization enables users to selectively give consent for one or more intended uses of cookies, such as for analytics, marketing, or social media integration.
• Grouping by third-party providers: Within each category of purpose, cookies can be further grouped according to the third party responsible for them. This means users have the option to accept cookies from one third-party entity while rejecting those from another.
• Identification of third parties: The cookie banner must clearly identify third-party cookies, either by the name of the third party or the brand name they are publicly recognized by.

The settings panel should clearly instruct users on how to save their cookie preferences, with options like “save selection” or “save configuration.”

Cookie text on consent banner

The wording used in cookie consent banners under Spanish law is flexible provided it clearly communicates the implications of user choices regarding cookie acceptance or rejection.

The standard “Accept” option may use equivalent phrases like “Accept and continue”, “OK”, or “Accept and close”. The primary requirement is that these alternatives should convey a clear message of consent to the use of cookies.

The option labeled “Set” might be substituted with terms such as “Options”, “More options”, “Other options”, “Cookies”, “Cookie policy”, or “Privacy setting”.

The cookie banner must include an option to reject cookies using straightforward language such as “Reject cookies”, “Reject”, or an equivalent term. This ensures users have a clear and direct means to opt-out of cookie usage.

Regardless of the terminology, the language on the cookie banner should always be straightforward, leaving no room for ambiguity about what each choice entails. This enables users to make informed decisions about their privacy.

Cookie duration under the guidelines

For cookies where user consent is required, AEPD considers it good practice that this consent remains valid for no longer than 24 months. This means that after a two-year period, websites should seek to renew consent from users for continued cookie usage.

For cookies that serve functions other than those requiring explicit consent, the recommendation is to minimize their lifespan as much as their purpose allows. This approach to cookie duration aligns with broader data protection principles, ensuring that user data is not held for longer than necessary and that user preferences are regularly updated to reflect current consent.

Cookie walls in Spain

The concept of cookie walls under Spanish cookie law is closely guided by the EDPB guidelines on consent. Users must be able to access services and functionalities without the condition of accepting cookies, thereby ensuring that consent is given freely and not under any form of compulsion.

If a website wishes to implement a cookie wall, it must also provide an alternative means of accessing the service that does not require the acceptance of cookies. This ensures that consent is not coerced by restricting access to services.

This alternative does not necessarily have to be free of charge. Offering a subscription model or a paid service without cookies is a viable approach under Spanish cookie regulations.

Consequences of non-compliance with Spanish cookie law

Article 76 of the LOPDGDD integrates the fines stipulated under the GDPR into Spanish legislation. As a result, businesses or entities that fail to adhere to the Spanish cookie rules may face substantial financial penalties. These fines can reach up to €20 million or 4% of the company’s total global annual turnover, whichever is higher.

How to be cookie compliant in Spain

1. Follow the updated display requirements on banners

Design cookie banners according to Spanish legal standards, including providing clear “Accept” and “Reject” options. Ensure your banners provide relevant information about the type of cookies used and their purpose in line with the AEPD guidelines’ first layer and second layer requirements.

2. Implement a consent management platform

Using a consent management platform (CMP) like Cookiebot CMP can enable you to achieve compliance with cookie law in Spain and the GDPR’s cookie consent requirements. You can configure Cookebot CMP to meet Spain’s legal requirements to obtain opt-in consent from users, including offering granular consent options. Cookiebot CMP also enables users to easily reject or withdraw consent as per the AEDP’s requirements.

Cookiebot CMP supports 48 languages — including Spanish, Catalan and Basque — so you can set it up to display a cookie banner based on the user’s browser settings.

3. Conduct an audit of your website’s cookies

You need to know what cookies your website uses so you can comply with the requirement of listing them on the cookie consent banner. A cookie checker like Cookiebot CMP can detect all cookies and other website trackers implemented on your website and enable compliance with this requirement.

4. Avoid cookie walls

Cookie walls that force users to accept cookies for accessing the site’s content go against the AEPD’s guidelines. If you must use a cookie wall, ensure you provide a genuine alternative for users to access your website or app without accepting cookies.

5. Renew consent

Follow the AEPD’s best practices for cookie duration and ensure you get fresh consent from users at appropriate intervals, not exceeding 24 months. If there are changes to your cookies policy or a cookie’s purposes, you should prompt your users to reaffirm consent even if they have already given it and the cookie duration has not lapsed.

FAQ