Spain

Can you place cookies without consent?

No. Article 22(2) of the Information Society Services and e-Commerce Act requires it.

Are cookie rules (whether specific or within general data protection laws) followed in practice?

Yes, although with some deviations.

In practice, several companies breach their duty to gather users’ informed consent prior to the use of cookies. Three of the most frequent and serious deviations are:

  1. there are still websites that gather the users’ consent through “continue browsing” solutions, which is no longer valid;
  2. some websites automatically download cookies on the user’s terminal, without action on their part as soon as they access the website; and
  3. many of the cookie banners that are used in practice are not offering a “reject” button in the first layer together with the “accept” and “settings” (if applicable) button, thus leading to non-compliance with the latest guidelines issued by the AEPD and mentioned below.

Are there any exemptions if consent is required?

Yes. Consent is not needed for placing and using the following:

  • Technical cookies (e.g., those needed to ensure the transmission of a communication over an electronic communications network such as cookies used for remembering the items added to a cart or cookies that enable the proper functioning of the payment process) and/ or strictly necessary cookies (e.g., those needed to provide an information society service expressly requested by the user such as those cookies that provide a function to remember the preferred language of a user or the number of search results to be displayed or cookies that enable remembering the browser used by the user to ensure an optimal browsing experience);
  • Personalisation cookies if the users themselves choose the corresponding features (e.g., if they select the language of a website by clicking on the flag icon of the country concerned, the currency to be used in transactions, the font size or the size or the color contrast between the background and the content to improve readability), provided that the cookies are used exclusively for the purpose selected; and
  • Audience measurement cookies, insofar as these:
    • are only used for the purposes of producing anonymous statistical data;
    • do not result in data being merged with other processing operations or data being passed on to third parties; and
    • do not allow the aggregate tracking of the browsing of the person using different applications or browsing different websites (i.e., any solution that uses the same identifier on several sites to cross-reference, duplicate or measure a standardised audience outreach rate of a piece of content is excluded).

Can you place the following cookies automatically:

i. Analytics cookies, ii. Advertising cookies, iii. Social media cookies

No. Consent must be granted by means of a clear affirmative action. Only technical strictly necessary, personalization and audience measurement cookies (subject to the rules and limitations mentioned above) can be placed automatically. The AEPD refers to Article 29 Working Party’s Opinion 04/2012 on Cookie Consent Exemption in its guidance on cookies, as well as the latest report issued by the EDPB of the work undertaken by the Cookie Banner Taskforce. 

It is important to note that if those same cookies are also used for other purposes which are not exempt (for example, for behavioural advertising purposes), they shall be subject to the same information and consent obligations as the other types of cookies.

Are you able to gain consent without a user ticking ‘accept’, i.e., imply consent from a user continuing to browse the site?

No. Consent must be granted by means of a clear affirmative action.

Can you set cookies without a cookie notice? 

No, unless only technical and/ or strictly necessary cookies are used.

Can you set cookies without a cookie banner/ management tool?

Information does not necessarily have to be provided by means of a cookie banner (other ways of providing the information could serve as well. For example, a notice prior to accessing an information society service) but a management tool is needed.

If a cookie banner is used, the following needs to be included in it:

  • a “Consent” or “Accept” button. “Continue browsing…” solutions are no longer valid;
  • a settings/ management tool (or a link to it) enabling users to give granular consent to (at least) each category of cookies, taking into consideration that users must be able to withdraw consent easily (at least in a way that is as easy as the way of giving consent);
  • a “Reject” button;
  • information on: the identity of the website owner, a brief description of the purposes for which cookies will be used, information on whether cookies used are first and/ or third-party, information on profiling (where appropriate), way of accepting/ managing/ rejecting cookies; and
  • a link to the full cookie policy that includes detailed information on the use of cookies through the website.

The AEPD highly recommends somehow highlighting the buttons and links included in the banner. Also, regardless of how consent is obtained, the option to reject cookies should be offered to the user at the same time, at the same level and with the same visibility as the option to accept cookies, without redirecting the user to a different layer or place to perform that action. Therefore, the mechanism used for accepting and rejecting cookies will have to be the same (be it a button or other equivalent mechanism), while the mechanism used for the settings panel may be different.

Although the use of cookie banner (including a link to a full cookie notice) is the most common way of providing information on cookies in practice, the AEPD has confirmed other alternatives are valid as well. For example, the full information can be presented to the user when accessing the website (instead of using a two-layer system). Information on cookies may also be provided together with the privacy policy or some terms and conditions, as long as the user is able to directly access the cookie section of the privacy policy/ terms and conditions directly through a link.

Are you able to use cookie walls? 

Cookie walls may only be used if a cookie-free equivalent information society service (that does not necessarily have to be free of charge) is also offered and the user is informed about this option.

Is the local regulator currently enforcing decisions against breaches of cookie rules?

Yes, it is.

Please find in the following table some of the most recent relevant AEPD’s decisions that involve cookies:

Decision Controller  Conduct   Fine 
 PS/00524/2021 IBERIA LÍNEAS AÉRE- AS DE ESPAÑA, S.A.
The first layer banner had unconcise, not transparent, and incomprehensible information. If the "accept" button or the "cookie settings" button was not clicked, no further browsing was allowed, thus not giving the user the option to reject the cookies deposit.
€30,000
PS/00475/2021 
MYHERITAGE, LTD
Use of own and third party non-necessary cookies without the user’s express consent. Lack of information on typology of used cookies.
€20,000

For infringement recognition 16,000€
PS/00032/2022
VUELING AIRLINES, S.A.
The use of third-party cookies that are not technical or necessary; the groups of cookies pre-marked in the "accepted" option in the control panel and the impossibility of rejecting third-party cookies that are not technical or necessary.
€30,000

For infringement recognition 18,000
PS/00080/2023  CHATWITH.IO WORLDWIDE S.L. (used to be known as IURIS MARKETING S.L)
Use of dark patterns in order to force users to transfer their personal data to 130 companies. The AEPD has considered that obtaining consent through persuasion techniques, known as "dark patterns", constitutes a violation in the processing of personal data.  €12,000 (€7,000 is imposed for breach of the duty to inform and €5,000 for the use of dark patterns) 

 

Are there any current consultations relating to ad tech/cookies?

None that we are aware of.

Are there any anticipated changes to the rules and/ or have there been changes to the attitudes in the market (for example, case law or industry body decisions)?

The AEPD has been quite active insofar as cookies are concerned. On 11 July 2023, it published a new version of the guidelines on the use of cookies that include some clarifications, most of which come from and are in line with the report published earlier in January by the EDPB cookie banner taskforce. Following such guidelines, the AEPD has been quite active insofar as the enforcement of rules on cookies is concerned, especially with regard to the use of dark patterns.

Also, in addition to the above, at the beginning of January 2024, the AEPD published some guidelines on the use of cookies for audience management tools.