Spanish Data Protection Authority (AEPD) releases new Guidelines on the use of Cookies


The Spanish Data Protection Authority (AEPD) has just updated the Guide on the use of “cookies” to adapt it to the Guidelines 05/2020 on consent under Regulation 2016/679, as modified in May 2020 by the European Data Protection Board (EDPB).

This update was quite expected since the publication of the DPA’s 'Cookie' Guide in No-vember 2019 generated some controversy among other DPAs as well as the experts at large.  Indeed, the option to continue browsing as a way of expressing the user's consent, as it was recognized in that Guide, was not  well regarded by other regulators given the  requirement of express consent in GDPR (General Data Protection Regulation). This was also the position of the EDPB. 

Regarding the "cookie walls", the Board specified that for consent to be considered freely granted, access to the service and its functionalities should not be conditioned on the user consenting to the use of cookies ("cookie wall" ). For this reason, the new Guide establishes that the so-called "cookie walls" that do not offer an alternative to consent may not be used, in particular, in those cases in which the denial of access would prevent the exercise of a legally recognized right to the user as, for example, where access to a website is the only means provided to the user to exercise this right. The AEPD indicates that, however, “there may be certain cases in which the non-acceptance of the use of cookies prevents ac-cess to the website or the total or partial use of the service, provided that the user is ade-quately informed about this and offers an alternative to access the service without having to accept the use of cookies. As established in the 05/2020 Guidelines on the consent of the EDPB, the services of both alternatives must be genuinely equivalent. Likewise, it will also not be valid that the equivalent service is offered by an entity other than the publisher ".

When the EDPB in its plenary session in May published such Guidelines, the AEPD already announced changes ahead.

The new AEPD’s Guide Guide on the use of “cookies”of has been published in its web-site.  See:

The new criteria stated must be implemented no later than October 31 of this year, thus it establishes a transitional period of three months for the Spanish organizations to adapt.

Despite the fact that with the approval in the future of the‘ Eprivacy ’Regulation, still pend-ing, it is possible that it will alter the‘ cookie ’regulations again in some way, it is of the ut-most importance that all organizations using „cookies“ adapt as soon as posible to this new development, in particular, as the sanctions imposed by the Spanish DPA for infringing the „cookies“ regime have been quite high so far. A € 30.000 fine has been imposed on the so-cial media Twitter and the same amount has been imposed on the aviation company Vueling.


Article provided by: Belén Arribas (Spain)  



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.