Iubenda logo
Start generating


Table of Contents

Spain: which cookie consent law rules apply

Granular, on scroll, on continued browsing… The cookie consent law may differ from state to state, let’s find out which rules apply in Spain.

cookie consent law - spain

Is cookie consent by scrolling allowed?

No, the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD) does not recognize consent by scrolling to be a valid indication of affirmative consent.

Is cookie consent by continued browsing allowed?

No. As with consent on scroll, cookie consent law in Spain does not recognize consent via continued browsing to be valid. Consent should be given via a direct affirmative action.

If the “Accept” button is not clicked, the user is not consenting to the use of cookies. This means that, in the case where the user does not click the button to accept cookies and simply continues browsing, no consent has been given.

Do I need to add a Reject button to my cookie banner?

Yes. The Spanish Data Protection Authority (AEPD) explicitly refers to the requirements of having both “Accept” AND “Reject” buttons.

These two buttons must be equally visible, put on the same layer and at the same level. The AEPD guide gives some examples where buttons have the exact same format (color, size, position).

In general, note that the option to reject cookies cannot be more complex than the possibility to accept cookies.

cookie consent law - aepd

Do cookies have to be blocked preventively?

Yes. Except for exempt categories, cookies must be blocked until users have given their consent.

Must cookie consent be granular?

Yes, you need to give users granular control on which categories of trackers to give consent to. The AEPD confirmed that cookies should be categorized based on their purpose, enabling users to selectively accept them (e.g., accepting analytical but not behavioral advertising cookies). This categorization isn’t fixed and can vary as long as the purpose distinctions remain clear.

Additionally, if the website publisher chooses, cookies can be further classified based on the third party responsible for them (e.g., choosing to accept analytical cookies from a certain third party and not those from another). For third-party cookies, identification by name or public brand, excluding the full corporate name, is sufficient. Overly detailed classifications, such as cookie-to-cookie selections within the same category, should be avoided to prevent decision-making complexity.

Is proof of consent requested according to the criteria established under the GDPR?

Not clearly specified. There is a chance that – unlike Italy – a technical cookie is not sufficient proof of consent, and therefore cannot be used to meet the requirement of keeping track of the consent acquired.

In this case you’ll have to keep records of consent – rather than simply proof.

How iubenda can help you manage cookie consent

Our comprehensive cookie management solution allows you to:

  • easily inform users via cookie banner and a dedicated cookie policy page (which is automatically linked to your privacy policy);
  • obtain and save cookie consent settings;
  • collect granular, per-category consent;
  • preventively block scripts prior to consent;
  • apply the IAB Transparency and Consent Framework with a single click;
  • maintain records of consent via integration with our Consent Database (integration available upon request).

Comply with cookie consent guidelines for Spain 🇪🇸

Start generating

About us


Cookie consent management for the ePrivacy, GDPR and CCPA


See also