December 7, 2020

Spanish AEPD Cookie Guidelines: The Ultimate Guide

In anticipation of the GDPR, the Spanish AEPD published cookie guidelines to help businesses get ready for compliance.

In anticipation of the GDPR, the Spanish AEPD published cookie guidelines to help businesses get ready for compliance.

The GDPR – General Data Protection Regulation – is the European set of rules about data security, which has been in effect since May 2018. 

Who is the AEPD?

AEPD is short for “Spanish Agency for Data Protection”. Their role is to guarantee that Spanish people comply with the European law and the LOPD-GDD – Organic Law of Protection of Personal Data and Guarantee of Digital Rights. 

The AEPD has an informative and instructive character. They have a total of 66 guides on their website, some of them also available in English. 

Additionally, the user will find tools, videos, and other mechanisms for implementing compliance solutions.

What are the AEPD Guidelines?

The AEPD published three guidelines back in 2017 to help people – especially Small and Medium Enterprises, SMEs – deal with the necessary preparations for data protection compliance. 

Up until 2020, these guides have been updated and new ones have been added to the list.


What is GT29?

GT29 is the “Article 29 Working Group”, an entity made up of a representative of the data protection authority of each EU Member State, the European Data Protection Supervisor, and the European Commission. It was launched in 1996.

What is EDPB? 

EDPB is The European Data Protection Board, an independent organization that ensures the consistent application of the GDPR in the European Union (EU), as well as Norway, Liechtenstein, and Iceland. 

They also promote cooperation between the data protection authorities of the EU states.

 What is LSSI?

LSSI is the Law of the Society of Information Services and Electronic Commerce, also known as LSSICE.

What are cookies, and which ones are exempted from the law?

Cookies are text files that are housed in the user’s computer when it navigates a website. They are used to collect data. 

It is necessary to inform and obtain consent for the use of cookies, for both first and third party, session or persistent. 

The LSSI article states that "Service providers may use data storage and retrieval devices in the terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular, on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of December 13th, on the Protection of Personal Data”.

Some cookies are excluded from article 22.2 of the LSSI and do not require consent for utilization. These are:

  • "User input" cookies.
  • User authentication or identification cookies (session only).
  • User security cookies.
  • Media player session cookies.
  • Session cookies to balance the load.
  • Cookies for customizing the user interface.
  • Certain add-on cookies (plug-in) to exchange social content.

What types of cookies are used by websites?

  • First vs. Third-parties. 

First party cookies are sent by the editor itself when a service is requested by the user. 

Third-party cookies are sent from a computer or domain that is not managed by the publisher, but by another entity that processes the data obtained.

  • Session vs. Persistent

Session cookies collect and store data while the user accesses a web page and disappear at the end of the session. 

Persistent cookies are stored in the terminal and can be accessed and processed during a period defined by the person responsible for the cookie, which can range from a few minutes to several years.

  • Technical cookies

They allow the user to navigate through a web page, platform, or application and to use the different options or services that exist in it. This includes cookies for controlling traffic and data communication, identifying the session, accessing restricted access parts, among others. 

Cookies for management of advertising spaces also fall in this category. These cookies are exempt from all obligations when they are used exclusively to allow the provision of the service requested by the user.

  • Preference or customization cookies

They allow a personalized user experience in a website, memorizing options and choices such as language, filters, etc. 

They will be exempt from the obligations of article 22.2 of the LSSI when it is the user himself who chooses these characteristics.

  • Analysis or measurement cookies. 

They make it possible for someone to quantitatively monitor and analyze the behavior of the users of the websites to which they are linked. 

The GT29 stated that they are not exempt from the duty to obtain informed consent for their use, but are unlikely to represent a privacy risk when they are first-party cookies.

  • Behavioral advertising cookies.

 These are ones that store information on the behavior of users with the continuous observation of their browsing habits, making it possible to provide custom advertisements.

What and how to inform users about cookies?

Users should be informed about:

  • Definition, type, generic function, and purpose of cookies.
  • Identification of who uses cookies.
  • How to accept, deny, or revoke consent.
  • Where appropriate, information on data transfers to third countries made by the editor.
  • When profiling involves automated decision-making with legal effects for the user or that similarly affects them.
  • Period of data conservation for the different purposes established in article 13.2 a) of the GDPR.

Users must be informed in a concise, understandable, clear, and unambiguous way. 

During consent collection, this information cannot be further than 2 clicks away from the first page. The main information is to be provided in a clearly visible notice in two layers, the main layer, and a detailed, optional layer. 

When requesting registration for a service, or before downloading a service or an application, this information may be provided together with the privacy policy.

Other information required by article 13 of the GDPR, unrelated to cookies, may be referred to in the privacy policy.

How to obtain consent?

It is necessary to obtain consent to use cookies nonexempt from the regulation. Consent has to be freely given by clicking on “I consent", "I accept", or other similar terms.

Consent can also be obtained by inferring it from an unequivocal action performed by the user after they have been provided with sufficient information about the use of cookies.

The determination of which is the most appropriate method to obtain consent will depend on the type of cookies, their purpose, and whether they are your own or those of third parties. 

It is necessary to inform the user if data will be shared with other web pages of the same publisher or even with associated third parties.

Some of the mechanisms that can be used for obtaining consent are:

  • When requesting the discharge of a service.
  • During the process of configuring the operation of the website or application.
  • Through consent management platforms (CMP).
  • Before the moment when a service or application is offered.
  • Through the layered information format.
  • Through browser settings.

How to obtain consent from children under 14 years of age?

The GT29 recommends organizations to refrain, in general, from creating profiles of children for marketing purposes.

For websites or online services specifically aimed at minors, an additional effort has to be put into the simplicity and clarity of the language used.

In the case of minors under 14 years of age, the data controller has to make sure that consent for the processing of personal data was given by the holder of parental authority or guardianship. 

Thus, the level of risk associated with the use of cookies should be considered. The lower the risk, the simpler the verification system that can be implemented. 

For example, in the case of a website aimed at minors that did not register, and if their device and navigation data are used only for analytical purposes, the consent of the holder of parental authority or guardianship could be obtained through warning or call directed to the minor. The first information layer should state that “if you are under 14 years of age, before continuing browsing, notify your father, mother or guardian to accept, configure or reject cookies”.

When cookies are used to store data about users or their terminal for experience customization, and no profile of the minor is drawn up, additional precautions should be taken to verify that consent was given or authorized by the holder of parental authority or guardianship.

The editors may use any verification formula that is reasonable to verify that the holder of the parental authority or guardianship is the one who gives the consent, and not the minor under fourteen years of age (for example, questions or captchas).

Uses of higher risk than those may require additional information from parents or guardians for verification purposes (for example, a contact email to which the editor can send an email to verify acceptance by the minor's parents or guardian).

If consent to the use of cookies is obtained during the process of registering for a service, or in the context of another process in which personal data is requested from minors, additional information about the parents or guardians may be requested for verification purposes. Alternatively, they may be asked to sign a declaration of consent.

Obtaining cookie consent when an editor provides services through different pages

The same publisher who provides different services through different domains may, through a single web page, inform and obtain consent for the use of cookies in the rest of the domains that have similar characteristics. 

Users have to be informed about the web pages or domains to which the cookies will be sent, the type of cookies, and the purposes for which they will be processed.

If a publisher provides services with characteristics that are not similar, it is necessary to adopt additional precautions.

Do I need to get consent again if I make changes to the use of cookies?

It won’t be necessary to obtain consent every time a user visits the same web page from which the service is provided.

However, it is clear that if the purposes of cookie collection or the third parties that use cookies change, it will be necessary to update the cookie policy and allow users to make a new decision.

When should I update the consent?

The EDPB recommends consent renewal at appropriate intervals as best practice. The agency considers it good practice that consent validity does not last longer than 24 months. 

During this time, any selections made by the user on their preferences should be preserved.

Withdrawal of consent for the use of cookies

Users must be able to revoke consent easily and at any time. 

The publisher must provide information to users on how they can withdraw consent and delete cookies. These instructions must be included in their cookie policy.

Possibility of denial of access to the service in case of rejection of cookies

Since the EDPB guidelines on consent state that it has to be given freely, access to services and functionalities must not be subject to the acceptance of cookies. 

This criterion is especially important in cases where the denial of access would prevent the exercise of a legally recognized right.

There may be certain cases in which the non-acceptance of the use of cookies will prevent access to the website or the total or partial use of the service, provided that the user is properly informed about it and cookie-free alternative access to the service is offered. The alternative has to have equivalent value and to be offered by the same publisher.

Final Thoughts

The editors will not need to report on the use of cookies:

  • As long as they are only used for the operation of the website;
  • Are among the category of exempt cookies.

In case of using cookies to create a profile for marketing or to store data for other commercial purposes, the editor must:

  • Mention it clearly;
  • Make the cookie configuration panel accessible;
  • Offer a way to reject cookies while maintaining access to the website.

If you would like to receive additional information about Secure Privacy and GDPR Cookie Consent compliance or to have our data protection expert carry out a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy, book a call today.

Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here.

Additional Resources:

Irish Data Protection Commission

The Belgian Data Protection Authority

Germany’s DSK

French CNIL Consent Guidelines

The Dutch DPA's Cookie Consent Guidelines

Greek DPA Cookie Consent Guidelines:

Our detailed GDPR compliance guide 

The ultimate guide to GDPR Cookie Consent Compliance

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!

Blog Posts
That also interest you