Granular, on scroll, on continued browsing… The cookie consent law may differ from state to state, let’s find out which rules apply in Spain.
No, the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD) does not recognize consent by scrolling to be a valid indication of affirmative consent.
No. As with consent on scroll, cookie consent law in Spain does not recognize consent via continued browsing to be valid. Consent should be given via a direct affirmative action.
If the “Accept” button is not clicked, the user is not consenting to the use of cookies. This means that, in the case where the user does not click the button to accept cookies and simply continues browsing, no consent has been given.
Yes. The Spanish Data Protection Authority (AEPD) explicitly refers to the requirements of having both “Accept” AND “Reject” buttons.
These two buttons must be equally visible, put on the same layer and at the same level. The AEPD guide gives some examples where buttons have the exact same format (color, size, position).
In general, note that the option to reject cookies cannot be more complex than the possibility to accept cookies.
Yes. Except for exempt categories, cookies must be blocked until users have given their consent.
Yes, you need to give users granular control on which categories of trackers to give consent to. The AEPD confirmed that cookies should be categorized based on their purpose, enabling users to selectively accept them (e.g., accepting analytical but not behavioral advertising cookies). This categorization isn’t fixed and can vary as long as the purpose distinctions remain clear.
Additionally, if the website publisher chooses, cookies can be further classified based on the third party responsible for them (e.g., choosing to accept analytical cookies from a certain third party and not those from another). For third-party cookies, identification by name or public brand, excluding the full corporate name, is sufficient. Overly detailed classifications, such as cookie-to-cookie selections within the same category, should be avoided to prevent decision-making complexity.
Not clearly specified. There is a chance that – unlike Italy – a technical cookie is not sufficient proof of consent, and therefore cannot be used to meet the requirement of keeping track of the consent acquired.
In this case you’ll have to keep records of consent – rather than simply proof.
Our comprehensive cookie management solution allows you to:
