Spanish New Cookie Guidelines: How to Achieve Compliance before the Deadline

A simple guide to understanding the intricacies of the updated cookie rules and ensuring your business’s compliance before January 2024

What are the Spanish Cookie Guidelines?

The Spanish cookie guidelines (‘Guía sobre el uso de cookies’) are a set of rules for the use of cookies on websites. Cookies collect your users’ data, even when they are set by services you use on your website. In July 2023, the Spanish Data Protection Authority (Agencia Española de Protección de Datos) released its most recent edition.
The guidelines were updated to conform to the European Committee for Data Protection’s guidelines 03/2022 on dark patterns.
The regulation of the use of cookies in Spain is influenced by the EU ePrivacy Directive, the General Data Protection Regulation (GDPR), and national legislation on electronic communications and data protection, including the Spanish Law on Information Society Services and Electronic Commerce (LSSI-CE) and the Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).

What Are Cookies?

Cookies are small files that are stored on a user’s device when they visit a website. They are used for a variety of purposes, including tracking user behavior, remembering user preferences, and enabling certain website functionalities. User’s privacy when using cookies is important. Cookies can be used to obtain data related to users, which can later be used for various purposes, including serving advertisements or developing new products and services.
The criteria set out in the most recent guide should be implemented no later than 11 January 2024, establishing a transitional period of six months to introduce the necessary changes to the use of cookies. For example, you could use Cookie Information’s Consent Management Platform to adapt your cookie banner and cookie management.

Who Do the Spanish Cookie Guidelines Apply To?

The Spanish Cookie Rules apply to any organization that operates an online service, such as a website or a mobile app, and uses cookies or similar technologies. This includes both first-party cookies, which are set by the website the user is visiting, and third-party cookies, which are set by a website other than the one the user is visiting.
Obtaining informed consent from users is essential. For website owners, navigating the maze of cookie regulations might seem complicated. However, a proactive approach can simplify compliance. Begin with a comprehensive audit of all cookies used on your site. Understand their purpose, lifespan, and the data they collect. Transparency is key. Ensure that users are informed about the cookies in use and their rights concerning those cookies. Regularly update your cookie policies to reflect any changes and always prioritize user consent.

Fines for Non-Compliance

Non-compliance with the Spanish Cookie Rules can result in penalties in line with the penalties for non-compliance with the General Data Protection Regulation (GDPR), which can be up to €20 million or 4% of the company’s total global turnover, whichever is higher. These figures underscore the importance of adhering to regulations, not just as a legal obligation but as a testament to a company’s commitment to user privacy.
fines digital markets act

Rules for Obtaining Consent and Processing Data

Website owners need to provide clear and comprehensive information about the types of cookies used on their site, obtain explicit and informed consent for non-essential cookies.
Empowering users is at the heart of cookie regulations. Every user has the right to know, control, and decide how their data is used. This includes the right to access, modify, or delete personal data collected through cookies. Tools like cookie management platforms can be invaluable, allowing users to easily manage their cookie preferences. Furthermore, users should be provided with clear channels to exercise their rights, whether it’s through a dedicated portal, customer support, or detailed guides.

What Changed with the New Cookie Guidelines?

The actions to accept or decline cookies must be presented in one place and format, and both actions must be at the same level, without making it more difficult to accept or reject them. Obtaining this informed consent is typically done through a cookie notice or banner. Aspects such as color, size, and location of the buttons are considered. Having the cookie configuration button instead of the reject button was accepted older examples, but this is no longer valid (unless the reject button is present too).
If the user decides on personalization cookies (for example, language or currency selection), they are considered technical cookies that do not require consent, as long as they are not used for other purposes. For example, they could not be used for ad personalization or to create a user profile.
When it is the publisher who decides on personalization cookies based on user information, they must clearly inform and give the option to accept or reject such cookies, without using them for other purposes.
Regarding “cookie walls”, website owners still need to offer an alternative for access to the service and functionalities without the need for the user to accept cookies, but the new guide clarifies that this alternative does not have to be free.

What is the Deadline to Implement the new Cookie Guidelines criteria?

The criteria set out in the most recent guide should be implemented no later than 11 January 2024, establishing a transitional period of six months to introduce the necessary changes to the use of cookies. For example, you could use Cookie Information’s Consent Management Platform to adapt your cookie banner and cookie management.

How to Comply with the Spanish Cookie Rules?

  • Explicit and separate consent must be obtained from users answering “yes” to cookie usage, independent of their consent to any terms and conditions.
  • Clear, concise, and transparent information about cookies must be provided to users in layers.
  • Labeled acceptance and reject buttons. We recommend locating the reject button on the left, but the cases can be argued.
  • Cookies must be easily accessible and visible, for example, through a prominent link.
  • Cookie walls that require consent to access a site must be avoided unless alternative access (not necessarily free) is provided.
  • Continuing to navigate the website is not considered a clear way of giving consent.
  • Parental consent should be verified for children under 14.
  • Avoid profiling children for marketing purposes due to vulnerability.
  • Consent must be renewed at least every 24 months.
  • Liability should be specified in contractual arrangements with third parties involved in cookie usage.
Organizations can take several steps to ensure compliance with the Spanish Cookie Rules:
  • Conduct a cookie audit: Identify what cookies your website uses and what they are used for.
  • Provide clear information about cookies: Inform users about what cookies are used, why they are used, and what information they collect.
  • Obtain consent: Obtain consent from users before using cookies.
  • Document and manage consent: Keep a record of when and how consent was obtained, and provide users with the ability to withdraw their consent at any time.
  • Regularly review your cookie use: Regularly review your use of cookies to ensure it remains compliant with the Spanish Cookie Guidelines.
  • Provide an easy-to-use mechanism for users to withdraw their consent at any time.
  • Inform users about the data retention period and the use of cookies whilst the data is being retained.

What do Compliant Banners Look like in Spain?

Cookie banners in Spain should provide information in two layers. The first layer must include the site owner’s name, cookie policies, information about involved third parties, the types of data collected, and how to accept or reject cookie use. The updated guidelines accept an example including a button to configure the use of cookies as well.
This layer should also display a warning notifying the user that proceeding with certain actions on the site, is an implicit acceptance of cookie usage. Additionally, the first layer should contain a visible link to the second layer of information, which provides more detailed information about the cookies used on the site.
The Spanish cookie guidelines are more than just a set of rules; they represent a commitment to user privacy and data protection. As technology continues to evolve, so will the regulatory landscape. By understanding the core principles of these guidelines and proactively implementing them, businesses can ensure a seamless digital experience for users while upholding the highest standards of data protection.