The ultimate guide to cookie regulations in Spain 2024

If you have a website, it's crucial that you stay informed about these regulations to keep your site aligned with privacy and data protection laws. Let's make it easy and digestible!

Introduction to the AEPD cookie regulations

Cookies are those little tools that make your web browsing more personalized. But did you know there's a regulation that governs their use? That's right! The AEPD in Spain ensures that your privacy is respected. Complying with these rules is not just a legal obligation but a commitment to transparency and your users' trust.

What are cookies and how do they work?

Cookies are small text files that websites send to a user's device to store information about their browsing. This information may include language preferences, session data, and details that improve the browsing experience.

Cookies are essential for website functionality, allowing the user experience to be personalized and analytical data to be collected.

Is it important to comply with the AEPD regulation on my website?

Complying with the AEPD cookie regulation is not only a legal obligation for website owners in Spain, but it is also crucial to ensure the privacy and data protection of users. The Spanish Data Protection Agency (AEPD) sets clear guidelines on the use of cookies, ensuring that users are informed and have explicitly consented to their use, thereby improving transparency and trust in the digital ecosystem.

Classification of cookies according to the AEPD and the regulation

Not all cookies are the same. Depending on various factors, the regulation classifies them in different ways. Below, we explain the classification and their differences:

First-party cookies vs. third-party cookies

First-party cookies:

These are managed directly by the website publisher you are visiting—us. These cookies are essential for basic site functions and user experience.

Third-party cookies:

Sent by entities other than the website publisher, they are used to collect information about user behavior across different websites, facilitating services such as personalized advertising. For example, Google ADS cookies.

Types of cookies by purpose

Depending on the use of the data obtained from cookies and their intended functions, we can define the following classification:

Technical cookies

Necessary for browsing and the proper functioning of the website. These cookies allow traffic control, session identification, and access to restricted areas.

Preference or customization cookies

Allow the website to remember information that changes the appearance or behavior of the site according to user preferences, such as language or region.

Analytics or measurement cookies

Collect data about user activity on the website, allowing statistical analysis to improve the services offered. A good example is the use of Google Analytics cookies to understand how users interact with the site.

Behavioral advertising cookies

Store information about the user’s browsing habits, showing personalized advertising based on these habits. This is commonly seen on websites running remarketing campaigns through Google Ads or using the Facebook pixel to display related content to an audience via Paid Ads campaigns.

Cookie duration: session vs. persistent

Another factor to consider is how long cookies remain on the user’s device after visiting the site. Based on this, we have two clearly defined types:

Session cookies

Automatically deleted when the user closes the browser. They are temporary and useful for remembering activities during a session.

Persistent cookies

Remain on the user’s device for a predetermined period, allowing preferences to be remembered for future visits.

Transparency and consent requirements: what the AEPD expects from us

Now that we understand the technical aspects of cookies and how they are classified, it’s important to know our obligations when using cookies on our website.

To ensure compliance, it's important to follow the regulations closely and avoid overlooking any aspect that could be detrimental to our website.

Mandatory information about the use of cookies: you must inform your users

Website owners must provide clear and comprehensive information about the use of cookies, including their definition, function, and purpose.

This includes detailing the types of cookies used (technical, personalization, analytics, etc.) and how users can accept, reject, or revoke their consent.

How to obtain valid consent

To ensure that consent for non-exempt cookies is valid, it must be freely given, informed, specific, and explicit.

This means that users must be able to choose whether to accept or reject the use of cookies, except for those strictly necessary for the site’s operation.

It's important to know that consent is only considered valid if it’s obtained through a clear affirmative action, such as clicking “Accept” on a cookie banner.

Updating and revoking consent: what if the visitor changes their mind?

As website owners, we must provide users with the ability to update their cookie preferences at any time and to revoke previously given consent.

This option must be easily accessible. Also, if significant changes are made to the cookie usage, a new consent request must be presented.

Responsibilities in the use of cookies: learn who is accountable

Now, let's take a journey together to better understand who’s who in the world of cookies and how responsibilities are distributed.

Cookie management involves different parties, including website owners (publishers) and third parties (e.g., analytics or advertising service providers).

Both have clear responsibilities regarding the information provided to users and obtaining consent.

The two types of purposes in cookies

• Cookies for exempted purposes: Do not require consent, but their use must still be disclosed.
• Cookies for non-exempted purposes: Require both publishers and third parties to properly inform users and obtain the necessary consent.

The importance of the design and structure of Cookie Notices

It’s not only important to know which cookies are on our website—another crucial part is how we ask users for their consent. The law is clear on this: users must know what they are accepting.

For this reason, here are the key inputs to ensure your cookie notice complies with all regulations.

Keys to an effective and legally compliant notice

Cookie notices must be:

• Visible.
• Accessible.
• Designed in a way that doesn’t mislead users into giving inadvertent consent.

The design should support user understanding and provide balanced choices between acceptance and rejection.

Incorrect practices and how to avoid them

It’s crucial to avoid practices like the lack of a clear reject button, pre-ticked boxes, or designs that hinder the option to reject cookies.

These practices can be considered misleading and do not meet the requirements of valid consent.

Practical implementation for your cookie banner

If you’ve made it this far, we’ll now provide visual and straightforward examples to create a compliant cookie banner without the headache.

List all your cookies by type and purpose

To ensure compliance with cookie regulations, website owners must follow several practical steps.

This includes listing all cookies used on the website, categorizing them by type and purpose, and ensuring that the information provided to users is clear and complete.

It’s also essential to implement an effective mechanism that allows users to provide informed and voluntary consent.

Examples and best practices for implementing cookie consent

The most recommended approach is a “layered information” model, one of the best practices available.

This involves showing a first layer of basic and essential information in the cookie banner, with options to accept or configure preferences, followed by a second layer with more detailed information accessible via a link.

This avoids overwhelming the user while ensuring they have easy access to all necessary details to make an informed decision.

Below is a list of non-compliant practices extracted from the document titled "Report of the work undertaken by the Cookie Banner Taskforce," adopted on January 17, 2023:

This document outlines various types of practices observed on non-compliant websites. Here’s the classification:

• Type A: No reject button in the first layer of the banner, considered a violation by most as it fails to meet valid consent requirements.

• Type B: Pre-ticked boxes, confirmed as invalid for obtaining consent under the GDPR and ePrivacy Directive.

• Type C: Misleading link design for rejecting cookies, which must be clear and not push the user to consent.

• Type D and E: Misleading button colors and contrasts that improperly highlight the option to accept all cookies. These require case-by-case analysis.

• Type H: Legitimate interest claimed for certain processing operations, which may confuse users about their right to object.

• Type I: Incorrect classification of "essential" cookies, highlighting the practical difficulty of determining which cookies are truly essential.
• Type K: No icon for withdrawing consent. It’s recommended that websites provide easily accessible tools for users to revoke consent at any time.

Importance of CMPs (Consent Management Platforms)

Consent Management Platforms (CMPs) help facilitate cookie compliance in a simple and efficient way.

They allow website owners to manage users’ consent preferences transparently and efficiently, ensuring consent is collected and stored in line with legal requirements.

Implementing a proper CMP can significantly simplify compliance and enhance user experience.

Some of the most popular CMP services endorsed by Google include:

• WordPress Plugin Complianz: allows for data request processing, supports Google Consent Mode V2, and offers customizable CSS and HTML templates, among other features.
• Cookiebot: this platform offers two implementation options—via a script on your site or a WordPress plugin. It has over 1 million active users and multilingual support.
• CookieYes: our trusted platform offers a dashboard for multiple domains, integrates via a simple script placed in the site’s header, and includes automatic customization options to align the banner’s style with your site’s design in one click. It’s the CMP used by major brands.
• One Trust: Similar to the others and also used by large companies, it features its own dashboard and fast support service. However, we’ve noted that it adds headers to their pages, which may not be ideal for SEO, but it’s still a Google-validated alternative.

It is worth noting that the official list includes more than 40 CMPs endorsed by Google, so you are free to review them and choose the one that best suits your needs.

What is the legal framework for cookie compliance?

You might be wondering where all these guidelines come from and which laws and regulations they belong to. If you have some spare time and want to fully understand the legal framework surrounding the use of cookies, you can read the following laws and regulations:

Law 34/2002 (LSSI)

The Law on Information Society Services and Electronic Commerce regulates the legal aspects of the digital economy in Spain, including the use of cookies. It requires users to give their consent after receiving clear and comprehensive information about their use.

Regulation (EU) 2016/679 (GDPR)

The General Data Protection Regulation establishes the data protection framework in the EU. It affects the use of cookies by requiring that any personal data collected through cookies complies with its principles of consent and data protection.

Organic Law 3/2018 (LOPDGDD)

The Organic Law on Personal Data Protection and Guarantee of Digital Rights adapts the GDPR to the Spanish legal system, providing specific rules on the processing of personal data and the use of cookies.

By adhering to these regulations, website owners not only fulfill their legal obligations, but also promote an environment of trust and security for users in the digital ecosystem.

Lastly, and very importantly, we remind all website owners and managers that La Teva Web aims to provide verified information about new changes. However, the best recommendation in case of doubt is to consult a legal service specialized in data protection in the digital field, as we are not responsible for any consequences resulting from the use of this guide for legal and regulatory compliance.