New Guidelines With Updated Obligations on Cookies in Spain: Companies Have Just a Few Months to Adapt Their Websites


The Spanish DPA (AEPD) published earlier this week new guidelines on cookies in order to update the existing ones to the recommendations of the European Data Protection Board (EDPB).

The Agencia Española de Protección de Datos (AEPD) has  published a new “Guide on the use of cookies” to adapt it to the Guidelines 03/2022 on deceptive design patterns in social media platform interfaces published by the EDPB in February of this year. For that, the DPA has requested the participation of the different stakeholders. The newly stated obligations and criteria must be met before  January 11, 2024.

The EDPB published in February 2023 Guidelines 03/2022 on deceptive design patterns in social media. The AEPD incorporates into the new version of their Guidelines the criteria of the EDPB, which essentially states that the actions to accept or reject cookies must be presented in a prominent place and format, and both (accept/reject) actions must be presented at the same level, without making it more complicated to reject them than to accept them. The Guidelines further include new examples on how these options should be displayed, offering indications on, among other things, the color, size and place in which they appear. For example, the color and contrast of the text with the buttons "may not be misleading to users." In other words, it will not be valid if the option to reject cookies is a button with a text that does not contrast sufficiently with the color of the button and, therefore, cannot be read.

Specifically, AEPD points out that the information must be concise, transparent and understandable. That is, use clear and simple language, so that it can be understood by an average user. For example, the lower the technical level of the average user of that website, the simpler the language used should be. In fact, the Guide specifies that terms that are imprecise such as "may", "might", "some", "often" and "possible" should be avoided.

In this framework, phrases such as 'we use cookies to personalize your content and create a better experience for you' or 'we may use your personal data to offer personalized services' would not be valid.

Furthermore, a series of amendments to the previous criteria have been carried out: in the case of personalization cookies, when the user himself makes decisions about them (for example, the choice of the language of the web or the currency in which he wishes to carry out transactions), these are technical cookies that do not require consent. Provided, however, these are not used for other purposes.

Notwithstanding this, when it is the editor who makes these types of decisions about personalization cookies based on the information it obtains from the user, such user must be informed about it, prominently and offering the option to accept or reject cookies. In this case, the publisher could not use them for different purposes either.

Finally, regarding cookie walls, the previous Guide already specified that in order for consent to be considered freely granted, access to the service and its functionalities could not be conditioned to the fact that the user consented to the use of cookies. Therefore, there could be cases in which the non-acceptance of the use of cookies prevents access to the website or the total or partial use of the service, provided that the user is informed and the editor offers an alternative to access the service without having to accept the use of cookies. The new version of the Guide clarifies that said alternative will not necessarily have to be free of charge.

The Guidelines can be reached here


Article provided by INPLP member: Belén Arribas Sánchez (Belén Arribas, Abogada, Spain)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.