Cookie Compliance: Valid Consent, Not Just a Banner

Cookie compliance in Spain is governed by Article 22(2) of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), read in conjunction with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the AEPD's Cookie Guidelines (updated 2023). Non-essential cookies — including analytics, advertising, and social media cookies — require prior, freely given, specific, informed, and unambiguous consent before being placed on a user's device; consent obtained through dark patterns (such as a more prominent "Accept" button, or rejecting cookies buried in configuration menus) does not meet the legal standard. The forthcoming ePrivacy Regulation will replace the LSSI-CE cookie provisions at EU level.

Cookie compliance is the area of data protection where the largest gap exists between how businesses perceive their position and the regulatory reality. A cookie banner on a website is not compliance — it is the starting point of a system that, to be valid, must ensure that the consent obtained meets all the requirements of the GDPR and the AEPD’s Cookie Guidelines.

Why Cookie Compliance Matters for Your Business

The AEPD’s updated 2023 Cookie Guidelines set concrete criteria that many current implementations do not meet. The equivalence requirement — that accept and reject options must be equally prominent and accessible in the first layer of the banner — generates the most violations. The common practice of placing an Accept all button on the first layer and making rejection available only through a settings link buried in secondary navigation is expressly contrary to the AEPD guidelines and has resulted in sanctions in recent enforcement decisions.

The technical cookie audit also regularly reveals situations organisations were unaware of: third-party scripts loading before the user has interacted with the banner, cookies setting regardless of the option chosen, or advertising trackers active that the technical team had forgotten and that do not appear in the cookie policy. This technical opacity generates the greatest regulatory risk, because it means the recorded consent does not correspond to the actual processing being carried out.

Our Cookie Compliance Audit and CMP Implementation Process

For companies with advanced digital marketing strategies, cookie compliance does not have to mean abandoning measurement. The correct implementation of Google Consent Mode v2, combined with a properly configured CMP, allows useful conversion measurement to be maintained even when a portion of users rejects cookies — using Google’s data modelling for non-consent sessions. This compliance architecture is what allows businesses to balance the regulatory obligation with the data needs of commercial decision-making.

The pre-consent blocking of third-party scripts is the critical technical control that separates a functioning CMP from a cosmetic one. A banner that records user preferences but fails to block the underlying scripts before consent — a common failure in CMP implementations — provides no actual protection and is easily detected in a technical inspection. We verify the full technical implementation, not just the visual appearance of the consent interface.

Real Results from Cookie Compliance

A correctly implemented cookie compliance system delivers zero AEPD sanctions for clients who maintain it properly. The combination of a technical audit, a correctly configured CMP, and documented consent records is the evidence that regulators look for and that our clients have consistently demonstrated. In the broader context of GDPR compliance, cookie compliance is the most visible interface of a company’s privacy commitment — the one users experience directly and the one supervisory authorities inspect most easily. Our external DPO service provides ongoing oversight to maintain compliance as platforms and regulations evolve.

Preparing for ePrivacy and the Regulatory Road Ahead

The ePrivacy Regulation has been delayed repeatedly, but its eventual entry into force will require material changes to consent systems, electronic communications metadata handling, and digital advertising rules. Organisations that build their consent infrastructure correctly now — with a well-structured CMP, documented consent records, and a modular architecture — will adapt far more easily when the Regulation finally applies. Privacy by design integration ensures cookie compliance does not operate in isolation from your broader privacy framework.

Google Analytics, Google Ads, and Meta Pixel: The Most Frequent Cases

Analytics and digital advertising tools are the most common sources of cookie compliance violations. Understanding their specific requirements is essential for any company running digital marketing operations in Spain and Europe.

Google Analytics 4 (GA4). GA4 uses first-party cookies and sends data to Google servers in the United States. Following the Schrems II judgment (C-311/18) and decisions by multiple European supervisory authorities (Austria, France, Italy, Belgium), the transfer of European user data to Google without additional safeguards has been declared unlawful in several jurisdictions. Using GA4 without explicit consent or without a server-side tagging solution that anonymises data before transmission can generate GDPR liability. Google Consent Mode v2 is the recommended technical mechanism for maintaining measurement capability compatible with compliance.

Google Ads conversion pixels. Conversion pixels triggered after a purchase or form submission are third-party cookies that require prior consent if the user has not accepted marketing cookies. Many incorrect implementations fire the conversion pixel on the conversion event without verifying whether the user has consented to marketing cookies. The correct implementation must be conditional on the consent state in the CMP.

Meta Pixel (Facebook Pixel). The Meta Pixel installs tracking cookies and can activate retargeting functionality. It requires explicit prior consent in any European context. Server-side integration (CAPI — Conversions API) allows reduced reliance on browser cookies and improved measurement while maintaining compliance.

Choosing the Right Consent Management Platform (CMP)

The choice of CMP has a direct impact on compliance and on marketing performance. Not all CMPs are equivalent: some lack the granularity needed to manage consents by purpose, others do not generate auditable consent records, and some are not correctly integrated with Google Consent Mode v2.

CMPs certified by IAB Europe under the Transparency & Consent Framework (TCF 2.2) offer a level of standardisation that simplifies integration with digital advertising platforms. However, TCF 2.2 is under scrutiny from several European data protection authorities, and its use does not automatically satisfy GDPR requirements.

Our team evaluates the most appropriate options for each company’s technical and business profile: Cookiebot, OneTrust, Usercentrics, CookieYes, or custom implementations. The selection considers traffic volume, marketing stack complexity, and the documentation requirements of the outsourced DPO.

Dark Patterns and the Risk of Manipulative Design

The AEPD and the European Data Protection Board (EDPB) have published specific guidelines on dark patterns in privacy interfaces. The most frequently sanctioned patterns are: an “Accept all” button in a prominent colour alongside a grey or smaller “Reject” option; the absence of a rejection option in the first layer of the banner (forcing the user to enter “Manage settings” to decline); pre-ticking of cookie categories; and treating the closure of the banner via the X button as acceptance.

A compliant banner design is technically neutral: the accept and reject options are equally accessible and the text is clear about the consequences of each choice. This standard is compatible with good UX design. We coordinate with design and development teams to implement banners that comply without penalising user experience or consent rates.

Regulatory Framework: LSSICE, GDPR, and AEPD Guidance

Cookie compliance in Spain operates at the intersection of two legal frameworks and one set of regulatory guidelines:

LSSICE (Ley 34/2002 de Servicios de la Sociedad de la Información y de Comercio Electrónico): Art. 22.2 LSSICE requires that website operators inform users of the use of cookies and obtain their consent, unless the cookies are strictly necessary for the requested service. The LSSICE pre-dates the GDPR but remains the primary domestic legal basis for cookie consent obligations in Spain.

GDPR (Regulation 2016/679): the GDPR defines consent requirements applicable to all processing of personal data, including data processed through cookies and tracking technologies. Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and scrolling as consent are specifically excluded. The GDPR’s accountability principle also requires that consent records be maintained and demonstrable.

AEPD Cookie Compliance Guide (2023, updated 2024): the AEPD has published practical guidance on the implementation of cookie compliance that constitutes the definitive interpretation of the legal framework in Spain. The guide specifies: the acceptable categories of strictly necessary cookies (exempt from consent), the requirements for the first layer of the consent banner, the requirements for the second layer, the treatment of consent withdrawal, the storage limitation for consent records, and the acceptable banner interaction patterns. AEPD enforcement decisions are consistently aligned with this guidance.

Sectors Most Affected

E-commerce and retail: high traffic volumes, complex marketing stacks (Google Ads, Meta Pixel, affiliate networks, retargeting platforms), and sophisticated analytics requirements make e-commerce the highest-complexity cookie compliance environment. Every new marketing platform integration requires reassessment of the cookie declaration and CMP configuration.

Media and publishing: advertising-funded digital media requires consent for advertising personalisation cookies, creating a commercial tension between consent rates and advertising revenue. Publishers in Spain have been among the most active test cases for the AEPD’s enforcement of cookie compliance standards.

SaaS and B2B platforms: even B2B platforms serving corporate users must comply with cookie regulations on their public websites, marketing landing pages, and login portals. Many B2B companies underestimate their cookie compliance obligations because they do not run consumer advertising campaigns.

Healthcare and professional services: websites for healthcare providers, law firms, and accountants frequently use contact form tracking, appointment booking analytics, and lead source attribution tools that install cookies. The combination of sensitive service category and cookie tracking creates a compliance risk that requires careful management.

Company Size Segmentation

Small businesses and freelancers with simple websites and minimal marketing technology stacks need a basic CMP implementation (typically a lightweight solution such as CookieYes), a compliant cookie declaration, and a privacy policy that covers cookie use. Our basic cookie audit and setup service covers this profile with a fixed-fee one-day implementation.

Medium companies with active digital marketing programmes — Google Ads, Meta advertising, email marketing, analytics — need a more comprehensive CMP with Google Consent Mode v2 integration, server-side tagging assessment, and regular cookie declaration updates as the marketing stack evolves.

Large companies and e-commerce platforms with complex consent requirements, multiple marketing platforms, and significant consent rate implications need a full CMP programme: platform selection, custom implementation, consent rate optimisation, A/B testing of compliant banner variants, and quarterly compliance monitoring.

Common Mistakes We Fix

1. Installing a CMP but not blocking pre-consent scripts. The most common technical failure is a CMP that records the user’s preferences but fails to actually block the third-party scripts before the user has interacted with the banner. The scripts fire on page load regardless of the user’s choice. This is detectable in a technical audit and constitutes a cookie violation even when the banner appears compliant.

2. Not updating the cookie declaration when the marketing stack changes. Cookie declarations become outdated as marketing tools are added, removed, or updated. An undisclosed cookie is a compliance failure, regardless of the CMP configuration. Cookie declarations must be audited and updated whenever a new marketing tool is integrated.

3. Treating strictly necessary cookies too broadly. AEPD guidance defines strictly necessary cookies narrowly: session management, shopping cart, and similar cookies essential to the service the user has requested. Analytics cookies, even first-party ones, are not strictly necessary and require consent. Many websites incorrectly classify analytics and functionality cookies as “strictly necessary” to avoid requiring consent.

4. Not maintaining consent records. The GDPR’s accountability principle requires that consent be demonstrable. Organisations must maintain records of when consent was given, for which purposes, and under which version of the privacy notice. CMP configuration that does not generate and retain these records leaves the organisation unable to demonstrate compliance in an AEPD investigation.

5. Not coordinating the cookie policy with the privacy policy. The cookie declaration and the privacy policy must be consistent — the same data processing activities described in one must appear in the other. Inconsistencies between the two documents are a standard finding in AEPD inspections and are treated as evidence of inadequate transparency.

How We Work

Cookie audit (one-time): technical scan of the website to identify all cookies and tracking technologies, classification against the strictly necessary/analytics/marketing taxonomy, gap analysis against AEPD guidance. Delivered within 1-2 weeks. Fixed fee based on website size.

CMP implementation: platform selection, CMP configuration, Google Consent Mode v2 integration, server-side tagging assessment, and compliant banner design. Delivered within 2-4 weeks.

Ongoing monitoring: quarterly cookie declaration review, update when marketing stack changes, consent rate monitoring, and regulatory update briefings as AEPD guidance evolves.

ePrivacy preparation: for companies wanting to prepare for the eventual ePrivacy Regulation, we audit the current consent infrastructure against the anticipated requirements and identify the architectural changes that will be required when the Regulation enters into force.

AEPD Enforcement Record: Cookie Compliance Sanctions in Spain

The AEPD’s enforcement record on cookie compliance confirms that the authority is actively inspecting websites and issuing sanctions for non-compliance. Key enforcement trends from 2023-2025:

Most frequently sanctioned violations:

• Absence of a compliant consent banner (cookies active without any consent mechanism).
• Pre-consent cookie activation (cookies firing before the user interacts with the banner).
• No rejection option in the first banner layer (dark pattern, requiring the user to navigate to a settings panel to decline).
• Incomplete cookie declaration (undisclosed cookies, inaccurate retention periods, missing data controller information).
• Using scrolling or continued browsing as implicit consent (explicitly rejected by AEPD and the EDPB).

Fine range: AEPD fines for cookie violations typically range from EUR 5,000 to EUR 200,000 depending on the severity of the violation, the size of the organisation, the intentionality of the violation, and the remediation measures taken. Repeat violations attract higher fines.

Proactive investigations: the AEPD conducts proactive website sweeps in addition to responding to complaints. Organisations in high-profile sectors (e-commerce, digital media, financial services, healthcare) have faced proactive inspections regardless of whether any complaint was filed.

Cookie Compliance for Mobile Applications

Cookie compliance obligations extend beyond websites to mobile applications that use tracking technologies to collect personal data from users. Mobile apps frequently use:

• Device identifiers (IDFA on iOS, GAID on Android) for advertising attribution.
• In-app analytics SDKs that collect usage data and send it to third-party analytics providers.
• Crash reporting tools that may capture personal data in exception logs.
• Push notification systems that link device identifiers to user profiles.

The consent requirement for these technologies is the same as for web cookies: prior, informed, specific, and freely given consent for any processing that is not strictly necessary for the service. Apple’s App Tracking Transparency (ATT) framework and Android’s privacy sandbox are the platform-level mechanisms for managing advertising tracking consent on mobile. GDPR compliance requires that the consent collected through these platform mechanisms also satisfies GDPR requirements — which in practice means aligning the in-app consent UX with GDPR standards, not just the platform’s technical requirements.

Worked Example: Cookie Compliance for an E-Commerce Platform

A Spanish e-commerce retailer (EUR 15 million online revenue, 180,000 monthly unique visitors) had a cookie banner that allowed users to click “Accept all” or close the banner with the X button — treating the X click as acceptance of all cookies. The platform used Google Analytics 4, Google Ads conversion tracking, Meta Pixel, and a retargeting platform. None of the marketing cookies were blocked before consent.

BMC’s audit findings:

• X button treated as acceptance: clear dark pattern, sanctionable under AEPD guidance.
• Marketing cookies firing on page load: pre-consent activation, primary LSSICE violation.
• No rejection option in the first layer: required navigation to “Cookie settings” to decline — another dark pattern.
• Cookie declaration: 4 undisclosed cookies from the retargeting platform, incorrect retention periods for GA4.

Remediation:

• Replaced the X button with a “Reject all” button of equal prominence to the “Accept all” button.
• Implemented pre-consent blocking: all marketing cookies now blocked until the user actively accepts.
• Configured Google Consent Mode v2 for GA4 and Google Ads: measurement maintained for accepting users, modelled data for non-accepting users (no consent-mode violation).
• Updated cookie declaration with all 4 previously undisclosed cookies and corrected retention periods.
• Configured server-side tagging for Meta Pixel to reduce cookie reliance.

Post-remediation: consent rate maintained at approximately 62% (industry average for Spain). Marketing measurement maintained through Consent Mode modelling. Zero AEPD inquiries in the 18 months following remediation.