Skip to main content

Spanish Data Protection Authority (AEPD) releases new Guidelines on the use of Cookies


The Spanish Data Protection Authority (AEPD) has just updated the Guide on the use of “cookies” to adapt it to the Guidelines 05/2020 on consent under Regulation 2016/679, as modified in May 2020 by the European Data Protection Board (EDPB).

This update was quite expected since the publication of the DPA’s 'Cookie' Guide in No-vember 2019 generated some controversy among other DPAs as well as the experts at large.  Indeed, the option to continue browsing as a way of expressing the user's consent, as it was recognized in that Guide, was not  well regarded by other regulators given the  requirement of express consent in GDPR (General Data Protection Regulation). This was also the position of the EDPB. 

Regarding the "cookie walls", the Board specified that for consent to be considered freely granted, access to the service and its functionalities should not be conditioned on the user consenting to the use of cookies ("cookie wall" ). For this reason, the new Guide establishes that the so-called "cookie walls" that do not offer an alternative to consent may not be used, in particular, in those cases in which the denial of access would prevent the exercise of a legally recognized right to the user as, for example, where access to a website is the only means provided to the user to exercise this right. The AEPD indicates that, however, “there may be certain cases in which the non-acceptance of the use of cookies prevents ac-cess to the website or the total or partial use of the service, provided that the user is ade-quately informed about this and offers an alternative to access the service without having to accept the use of cookies. As established in the 05/2020 Guidelines on the consent of the EDPB, the services of both alternatives must be genuinely equivalent. Likewise, it will also not be valid that the equivalent service is offered by an entity other than the publisher ".

When the EDPB in its plenary session in May published such Guidelines, the AEPD already announced changes ahead.

The new AEPD’s Guide Guide on the use of “cookies”of has been published in its web-site.  See:

The new criteria stated must be implemented no later than October 31 of this year, thus it establishes a transitional period of three months for the Spanish organizations to adapt.

Despite the fact that with the approval in the future of the‘ Eprivacy ’Regulation, still pend-ing, it is possible that it will alter the‘ cookie ’regulations again in some way, it is of the ut-most importance that all organizations using „cookies“ adapt as soon as posible to this new development, in particular, as the sanctions imposed by the Spanish DPA for infringing the „cookies“ regime have been quite high so far. A € 30.000 fine has been imposed on the so-cial media Twitter and the same amount has been imposed on the aviation company Vueling.


Article provided by: Belén Arribas (Spain)  



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.