How Spanish Law Regulates Cookies
Spain's cookie rules sit at the intersection of three legal instruments. The LSSI-CE (Ley de Servicios de la Sociedad de la Informacion y de Comercio Electronico, Law 34/2002) is Spain's transposition of the EU ePrivacy Directive. Article 22.2 of the LSSI-CE requires informed consent before storing or accessing cookies on a user's device, unless the cookie is strictly necessary for delivering a service the user has requested.
The LOPDGDD (Ley Organica de Proteccion de Datos Personales y Garantia de los Derechos Digitales, Organic Law 3/2018) complements the GDPR at national level. It sets the domestic penalty framework and establishes the AEPD (Agencia Espanola de Proteccion de Datos) as Spain's supervisory authority.
The GDPR itself applies directly, meaning any processing of personal data through cookies must satisfy its conditions for valid consent under Article 7.
The AEPD Cookie Guide - May 2024 Edition
The AEPD published the first version of its cookie guide (Guia sobre el uso de las cookies) in 2020 and has updated it several times since. The most recent edition, dated May 2024, aligns with EDPB Opinion 8/2024 on consent-or-pay models and the EDPB Guidelines 03/2022 on deceptive design patterns.
Key positions in the 2024 guide include a strict two-layer information model for cookie banners, a maximum recommended cookie lifespan of 13 months without automatic renewal, mandatory granular consent controls, and specific rules on cookie walls and pay-or-consent models.
Enforcement of the updated criteria began on 11 January 2024, following a six-month transitional period announced in July 2023.
Two-Layer Banner Model
The AEPD requires cookie information to be presented in two layers. The first layer appears in the banner itself and must contain the identity of the site owner, a summary of cookie purposes, information about third parties that set cookies, an accept button, a reject button of equal prominence, and a link to the second layer.
The second layer - typically a full cookie policy page - provides detailed information about every cookie: its name, provider, purpose, category, and duration. This is where you list specifics such as _ga, _fbp, or PHPSESSID.
Both accept and reject options must be presented on the first layer. The AEPD does not recognise scrolling, continued browsing, or closing the banner as valid consent. Only a clear, affirmative action counts.
Granular Consent by Category
The guide requires that users can accept or reject cookies by category - for instance, accepting analytics cookies while refusing marketing cookies. Pre-ticked boxes are not allowed. Each category must default to off until the user actively opts in.
Cookie Walls and Pay-or-Consent in Spain
The AEPD permits cookie walls under narrow conditions. The user must be fully informed, and an equivalent alternative must exist for accessing the service without accepting non-essential cookies. That alternative must come from the same publisher - redirecting users to a different site does not satisfy this requirement.
Following the EDPB's April 2024 opinion, pay-or-consent models face additional scrutiny. The AEPD's updated guide warns that the paid alternative must be genuinely equivalent, and the price must not be so high that it effectively coerces consent.
Spanish Cookie Penalties at a Glance
| Infringement Type | Legal Basis | Maximum Fine |
|---|---|---|
| LSSI-CE violation (cookies without consent) | Article 22.2, LSSI-CE | 30,000 EUR |
| Minor GDPR breach | Article 83(4), GDPR / LOPDGDD | 10,000,000 EUR or 2% global turnover |
| Serious GDPR breach (invalid consent) | Article 83(5), GDPR / LOPDGDD | 20,000,000 EUR or 4% global turnover |
Cookie-specific fines under the LSSI-CE tend to be lower than those issued under the GDPR. In November 2024, the AEPD fined SEAT S.A. 20,000 EUR (reduced to 12,000 EUR after voluntary payment) for placing cookies automatically at the start of a user's session without prior consent. Earlier cases involved Twitter, Innova Resort, and Petrolis Independents for failing to inform users correctly about cookie use.
Where cookie activity also involves unlawful personal data processing - for example, sharing behavioural profiles without a valid legal basis - the AEPD can apply the higher GDPR penalty thresholds.
How Spain Compares to Other EU Member States
Spain's approach shares common ground with other major EU markets but has its own distinct flavour. France's CNIL similarly mandates equal-prominence accept and reject buttons, and was the first to issue significant fines for cookie violations. Italy's Garante published detailed cookie guidelines in 2021 with a comparable two-layer model. Germany's TTDSG requires opt-in consent for non-essential cookies, though enforcement has historically focused on GDPR rather than cookie-specific rules.
Portugal's CNPD is another Iberian reference point. The CNPD has been vocal on cookie walls and analytics exemptions, and sites targeting both Spanish and Portuguese users need to comply with each authority's positions.
A constant across all these jurisdictions: pre-ticked boxes and implied consent through continued browsing are invalid.
Compliance Checklist for Spanish Websites
Use this checklist to verify your site meets AEPD requirements.
No non-essential cookies fire before the user gives affirmative consent
The cookie banner shows accept and reject buttons with equal visual prominence on the first layer
Users can select or deselect cookie categories individually (analytics, marketing, functional)
A link to the full cookie policy (second layer) is visible in the banner
The cookie policy lists every cookie by name, provider, purpose, category, and duration
Cookie lifespans do not exceed 13 months
Consent is re-requested when new cookie purposes are added
Consent records are stored as proof of compliance
Users can withdraw consent at any time through a persistent settings link or button
If a cookie wall is used, an equivalent alternative exists on the same domain
Running a cookie scan is the fastest way to identify every cookie and tracker on your site before configuring your banner.
Strictly Necessary Cookies - What Is Exempt
Article 22.2 of the LSSI-CE exempts cookies that are technically required to deliver a service the user has explicitly requested. Session cookies like PHPSESSID that maintain a shopping cart or login state fall into this category. Language preference cookies such as pll_language are generally considered functional rather than strictly necessary, and the AEPD's guide treats them as requiring consent.
Load-balancing cookies and cookies that remember a user's consent choice are also typically exempt. The AEPD has published a separate supplementary guide on analytics cookies for audience measurement, but it does not grant a blanket exemption for analytics - conditions around anonymisation and first-party-only use apply.
Frequently Asked Questions
Does the AEPD require a reject button on cookie banners?
Yes. The AEPD's cookie guide mandates that both accept and reject options appear on the first layer of the banner with equal visual prominence. Hiding the reject option behind a settings menu is not compliant.
What is the maximum cookie duration allowed in Spain?
The AEPD recommends a maximum cookie lifespan of 13 months. Cookies should not automatically renew their expiry date on subsequent visits.
Are analytics cookies exempt from consent in Spain?
Not by default. The AEPD has published guidance on audience measurement cookies, but exemptions apply only when strict conditions are met, including anonymisation and first-party-only processing. Most standard analytics setups using _ga or similar cookies still require consent.
Can I use a cookie wall on a Spanish website?
Cookie walls are permitted only if the user is fully informed and a genuinely equivalent alternative exists on the same domain. Redirecting users elsewhere does not satisfy this condition.
What fines can the AEPD issue for cookie violations?
Under the LSSI-CE, fines reach up to 30,000 EUR per violation. Where cookies involve unlawful personal data processing, GDPR penalties of up to 20 million EUR or 4% of global turnover may apply.
Does scrolling count as cookie consent in Spain?
No. The AEPD explicitly rejects scrolling, continued browsing, and closing the banner as forms of valid consent. Only a clear affirmative action - such as clicking an accept button - qualifies.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
