Imagen de Harryarts en Freepik

Latest AEPD update on Cookies Policy (July 2023)

The Internet plays a crucial role in European society and economy. In this sense, online advertising, powered by cookies, plays a fundamental role in this contribution, representing a significant part of advertising investment.

This has led to steady growth in internet spend, overtaking television in terms of advertising spend. However, it also poses challenges in terms of privacy, leading to the need to obtain informed consent from users for the use of cookies.

Cookies are small files that contain certain information about the user’s navigation through the Website to remember their preferences. This information may be used to offer specific services, display personalized ads, or even develop new features or free products. Since this affects the privacy of users, regulations at both community and national levels require obtaining informed consent from users to ensure that they are aware of how their data is used and for what purposes.

Along these lines, last July of this year 2023, the Spanish Data Protection Agency (Agencia Española de Protección de Datos, hereinafter, “AEPD”) updated the “Guide on the use of cookies” to adapt it to the Guidelines on consent modified in May 2020 by the European Data Protection Committee.

More specifically, the AEPD developed an orientation guide on the use of cookies, making special reference to Law 34/2002, of July 11, on information society services and electronic commerce (hereinafter, “LSSI”), in relation to Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, General Data Protection (hereinafter, “RGPD”) and Organic Law 3/2018, of December 5, Data Protection and guarantee of digital rights (hereinafter, “LOPDGDD”).

In this sense, the AEPD establishes that the legal obligations imposed by the regulations are two: the obligation of transparency and the obligation to obtain consent.

On the one hand, regarding the obligation of transparency, the AEDP establishes that “the information about cookies provided at the time of requesting consent must be sufficiently complete to allow users to understand their purposes and the use that will be given to them” . In order to comply with these requirements, the AEDP establishes that the following information must be included in the cookie policy:

  1. Definition and generic function of cookies,
  2. Information about the type of cookies used and their purpose,
  3. Identification of who uses the cookies,
  4. Information on how to accept, deny or revoke consent for the use of cookies,
  5. Information on data transfers to third countries carried out by the publisher,
  6. Preparation of profiles that involve automated decision making,
  7. Data retention period,
  8. Other information required by Article 13 of the RGPD that does not specifically refer to cookies.

Furthermore, in its guidelines on transparency, the Article 29 Working Group (WG29) recommends the use of layered privacy statements or notices, that is, it suggests using multi-layered privacy statements or notices. This means that the information is presented in sections, allowing users to access the part that interests them most without feeling overwhelmed by a large amount of information at the same time, with the AEPD distinguishing the information that should be included in each of the layers.

On the other hand, in the context of privacy, it is essential to ensure that users give their consent clearly and explicitly. This can be achieved through concrete actions, such as clicking a button indicating “I consent” or taking unambiguous actions after receiving clear information about the purpose and use of cookies, whether they are first-party cookies or third-party cookies.

More specifically, among the transparency requirements, it is relevant to highlight the following rules that must be followed when providing information to users about the use of cookies:

  1. The information or communication must be concise, transparent and intelligible,
  2. Clear and simple language must be used, avoiding the use of phrases that lead to confusion or distort the clarity of the message.
  3. The information must be easily accessible.

Additionally, users must have the option to reject cookies, and this option must be as visible as the option to accept them.

Regarding non-compliance related to cookies, until now the AEPD has been imposing sanctions of between €3,000 and €30,000.

To the obligations established in October 2020, the following are now added after the July 2023 update:

  • The actions of accepting and rejecting cookies must be presented in a prominent place and format, and both actions must be at the same level, without making it more complicated to reject them than to accept them.
  • Personalization cookies are considered technical cookies that do not require consent.
  • Finally, regarding cookie walls that prevent access to a web page, it is mandatory to present an alternative to access the service without having to accept the use of cookies. The new version of the Guide clarifies that this alternative could be paid.

In summary, the balance between cookie functionality and user privacy is a constant challenge in the digital environment. Complying with Spanish and European regulations is essential to ensure a safe and transparent online experience for everyone, as well as to avoid unnecessary penalties.

This publication does not constitute legal advice.


How can LAW4DIGITAL help you?

At LAW4DIGITAL we are lawyers specialized in digital business. We provide comprehensive legal advice to digital companies. We help you with online legal advice.

We will keep you updated about digital business. In any case, you can contact us by sending an email to, calling (+34) 931 444 820 or filling out our contact form at

We look forward to seeing you in the next post!

Law4Digital Team.

Subscribe to our Newsletter!