Cookie Compliance: Valid Consent, Not Just a Banner

Cookie compliance in Spain is governed by Article 22(2) of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), read in conjunction with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the AEPD's Cookie Guidelines (updated 2023). Non-essential cookies — including analytics, advertising, and social media cookies — require prior, freely given, specific, informed, and unambiguous consent before being placed on a user's device; consent obtained through dark patterns (such as a more prominent "Accept" button, or rejecting cookies buried in configuration menus) does not meet the legal standard. The forthcoming ePrivacy Regulation will replace the LSSI-CE cookie provisions at EU level.

Cookie compliance is the area of data protection where the largest gap exists between how businesses perceive their position and the regulatory reality. A cookie banner on a website is not compliance — it is the starting point of a system that, to be valid, must ensure that the consent obtained meets all the requirements of the GDPR and the AEPD’s Cookie Guidelines.

Why Cookie Compliance Matters for Your Business

The AEPD’s updated 2023 Cookie Guidelines set concrete criteria that many current implementations do not meet. The equivalence requirement — that accept and reject options must be equally prominent and accessible in the first layer of the banner — generates the most violations. The common practice of placing an Accept all button on the first layer and making rejection available only through a settings link buried in secondary navigation is expressly contrary to the AEPD guidelines and has resulted in sanctions in recent enforcement decisions.

The technical cookie audit also regularly reveals situations organisations were unaware of: third-party scripts loading before the user has interacted with the banner, cookies setting regardless of the option chosen, or advertising trackers active that the technical team had forgotten and that do not appear in the cookie policy. This technical opacity generates the greatest regulatory risk, because it means the recorded consent does not correspond to the actual processing being carried out.

Our Cookie Compliance Audit and CMP Implementation Process

For companies with advanced digital marketing strategies, cookie compliance does not have to mean abandoning measurement. The correct implementation of Google Consent Mode v2, combined with a properly configured CMP, allows useful conversion measurement to be maintained even when a portion of users rejects cookies — using Google’s data modelling for non-consent sessions. This compliance architecture is what allows businesses to balance the regulatory obligation with the data needs of commercial decision-making.

The pre-consent blocking of third-party scripts is the critical technical control that separates a functioning CMP from a cosmetic one. A banner that records user preferences but fails to block the underlying scripts before consent — a common failure in CMP implementations — provides no actual protection and is easily detected in a technical inspection. We verify the full technical implementation, not just the visual appearance of the consent interface.

Real Results from Cookie Compliance

A correctly implemented cookie compliance system delivers zero AEPD sanctions for clients who maintain it properly. The combination of a technical audit, a correctly configured CMP, and documented consent records is the evidence that regulators look for and that our clients have consistently demonstrated. In the broader context of GDPR compliance, cookie compliance is the most visible interface of a company’s privacy commitment — the one users experience directly and the one supervisory authorities inspect most easily. Our external DPO service provides ongoing oversight to maintain compliance as platforms and regulations evolve.

Preparing for ePrivacy and the Regulatory Road Ahead

The ePrivacy Regulation has been delayed repeatedly, but its eventual entry into force will require material changes to consent systems, electronic communications metadata handling, and digital advertising rules. Organisations that build their consent infrastructure correctly now — with a well-structured CMP, documented consent records, and a modular architecture — will adapt far more easily when the Regulation finally applies. Privacy by design integration ensures cookie compliance does not operate in isolation from your broader privacy framework.