No. Article 22(2) of the Information Society Services and e-Commerce Act requires it.
Yes, although with some deviations.
In practice, several companies breach their duty to gather users’ informed consent prior to the use of cookies. Three of the most frequent and serious deviations are:
Yes. Consent is not needed for placing and using the following:
No. Consent must be granted by means of a clear affirmative action. Only technical strictly necessary, personalization and audience measurement cookies (subject to the rules and limitations mentioned above) can be placed automatically. The AEPD refers to Article 29 Working Party’s Opinion 04/2012 on Cookie Consent Exemption in its guidance on cookies, as well as the latest report issued by the EDPB of the work undertaken by the Cookie Banner Taskforce.
It is important to note that if those same cookies are also used for other purposes which are not exempt (for example, for behavioural advertising purposes), they shall be subject to the same information and consent obligations as the other types of cookies.
No. Consent must be granted by means of a clear affirmative action.
No, unless only technical and/ or strictly necessary cookies are used.
Information does not necessarily have to be provided by means of a cookie banner (other ways of providing the information could serve as well. For example, a notice prior to accessing an information society service) but a management tool is needed.
If a cookie banner is used, the following needs to be included in it:
The AEPD highly recommends somehow highlighting the buttons and links included in the banner. Also, regardless of how consent is obtained, the option to reject cookies should be offered to the user at the same time, at the same level and with the same visibility as the option to accept cookies, without redirecting the user to a different layer or place to perform that action. Therefore, the mechanism used for accepting and rejecting cookies will have to be the same (be it a button or other equivalent mechanism), while the mechanism used for the settings panel may be different.
Although the use of cookie banner (including a link to a full cookie notice) is the most common way of providing information on cookies in practice, the AEPD has confirmed other alternatives are valid as well. For example, the full information can be presented to the user when accessing the website (instead of using a two-layer system). Information on cookies may also be provided together with the privacy policy or some terms and conditions, as long as the user is able to directly access the cookie section of the privacy policy/ terms and conditions directly through a link.
Cookie walls may only be used if a cookie-free equivalent information society service (that does not necessarily have to be free of charge) is also offered and the user is informed about this option.
Yes, it is.
Please find in the following table some of the most recent relevant AEPD’s decisions that involve cookies:
Decision | Controller | Conduct | Fine |
PS/00524/2021 | IBERIA LÍNEAS AÉRE- AS DE ESPAÑA, S.A. |
The first layer banner had unconcise, not transparent, and incomprehensible information. If the "accept" button or the "cookie settings" button was not clicked, no further browsing was allowed, thus not giving the user the option to reject the cookies deposit. |
€30,000 |
PS/00475/2021 |
MYHERITAGE, LTD |
Use of own and third party non-necessary cookies without the user’s express consent. Lack of information on typology of used cookies. |
€20,000 For infringement recognition 16,000€ |
PS/00032/2022 |
VUELING AIRLINES, S.A. |
The use of third-party cookies that are not technical or necessary; the groups of cookies pre-marked in the "accepted" option in the control panel and the impossibility of rejecting third-party cookies that are not technical or necessary. |
€30,000 For infringement recognition 18,000 |
PS/00080/2023 | CHATWITH.IO WORLDWIDE S.L. (used to be known as IURIS MARKETING S.L) |
Use of dark patterns in order to force users to transfer their personal data to 130 companies. The AEPD has considered that obtaining consent through persuasion techniques, known as "dark patterns", constitutes a violation in the processing of personal data. | €12,000 (€7,000 is imposed for breach of the duty to inform and €5,000 for the use of dark patterns) |
None that we are aware of.
The AEPD has been quite active insofar as cookies are concerned. On 11 July 2023, it published a new version of the guidelines on the use of cookies that include some clarifications, most of which come from and are in line with the report published earlier in January by the EDPB cookie banner taskforce. Following such guidelines, the AEPD has been quite active insofar as the enforcement of rules on cookies is concerned, especially with regard to the use of dark patterns.
Also, in addition to the above, at the beginning of January 2024, the AEPD published some guidelines on the use of cookies for audience management tools.