The Spanish DPA's new take on cookies: back to express consent

Last November, the Spanish Data Protection Authority (Spanish DPA) published its new Guidelines on the Use of Cookies within the framework of the GDPR and Spanish E-privacy rules. however, it went a bit further and distinguished itself from the general rule: the Spanish DPA considered that the “by browsing the website you accept the use of cookies” mechanism was acceptable. Less than a year afterwards, the Spanish DPA has stepped down and updated the Guidelines.

We already had the opportunity to describe the main highlights of the Guidelines on the Use of Cookies (Guidelines) in Engage. The content of the Guidelines has not changed much in comparison to last year's version, and the Guidelines still provide for the following information:

  • The definition of cookies, categories of cookies, and the relation between cookies and personal data protection. The Guidelines indicate which cookies are excepted from compliance obligations under Spanish Information Society Services and E-commerce Act.
  • Information duties and transparency with regard to cookie notices.
  • In-depth analysis on how to obtain consent, and when such consent is valid.
  • Analysis of the parties' responsibility in cookie use, and parties intervening in usage-based advertising processes.

The update of the Guidelines focuses on point 3 above, and is justified in the EDPB's own update of the Guidelines 05/2020 on consent earlier this year (which one may discuss it was not a mind-blowing update). In particular, these are the main changes that, for the Spanish market and based on the original Guidelines, are indeed material:

  • The “by browsing the website you accept the use of cookies” mechanism is abolished: consent must be granted by clearly "accepting" the cookies or carrying out similar actions to click "I accept". Browsing the website or the use of the scroll bar cannot be construed as an affirmative action. Examples provided in our previous Engage post are no longer valid.
  • No cookie walls: as established in the aforementioned Guidelines 05/2020, access to services and functionalities of the website cannot be made conditional on the consent to the cookies. Cookie walls not providing an alternative to the consent are not valid.
  • Access can be made conditional where (i) users are duly informed, and (ii) an alternative to the service / website is offered to the user without accepting cookies. Said alternative must be truly equivalent, and it would not be valid for such alternative to be offered by a company non-related to the website's editor.


The English version of the old Guidelines can be found here.

The Spanish DPA has given a 3 month truce (until October 31) for companies to adapt their websites, apps, etc., to the new criteria.


Authored by Santiago de Ampuero.


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.