AEPD Cookie Guide: how to have a compliant banner in 2025

·

The cookie banner is one of the most visible legal elements on any website and, at the same time, one of the most frequently mis-implemented. Spain's Agencia Española de Protección de Datos (AEPD) has published its Guide on the use of cookies and updated it to clarify precisely what is required of website operators. The regulatory framework combines Article 22.2 of Law 34/2002 on Information Society Services (LSSI-CE), which imposes a duty to inform users and obtain their consent for non-essential cookies, with the Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), which govern the quality and traceability of that consent. This article answers, question by question, what you must do so that your website complies.

What are cookies and why does their regulation affect almost every website?

Cookies are small text files that a server places on a user's device when they visit a website. Not all cookies require consent. The LSSI-CE and the AEPD Guide distinguish between:

If your website uses Google Analytics in its standard configuration, Meta pixels, Google Ads tags or social buttons from LinkedIn or X that load third-party scripts, you need a banner with real consent. There is no exception based on company size.

What constitutes valid consent under the GDPR and the AEPD?

Article 4(11) of the GDPR defines consent as «any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her». The AEPD translates this into four cumulative requirements for cookie banners:

  1. Freely given: access to the website cannot be conditional on accepting non-necessary cookies. So-called cookie walls — pages that block content until the user accepts — are contrary to the GDPR unless a paid or tracking-free alternative is offered.
  2. Specific: the user must be able to choose which purposes they consent to (analytics yes, behavioural advertising no). A single «Accept all» button with no granular options does not satisfy this requirement when there are multiple purposes.
  3. Informed: before consenting, the user must know which cookies will be installed, for what purpose, for how long and whether data will be transferred to third parties or outside the European Economic Area.
  4. Unambiguous: silence or continued browsing cannot serve as consent. Pre-ticked boxes are not valid. A clear affirmative action is required: pressing an «Accept» button or configuring and saving preferences.

What must the first-layer banner include?

The AEPD distinguishes between the first layer (the banner that appears when the user lands on the website) and the second layer (the detailed configuration panel). The first layer must contain at minimum:

The critical point is symmetry between accepting and rejecting. The AEPD Guide is explicit: rejecting must be as easy as accepting. A design in which «Accept all» appears as a prominent, brightly coloured button while «Reject» is hidden as small grey text in a corner is not compliant. Such manipulative design — known as a dark pattern — may be sanctioned by the AEPD.

What are dark patterns and why does the AEPD sanction them?

Dark patterns are interface techniques that nudge users into decisions that do not reflect their actual wishes. In the context of cookie consent, the AEPD has identified several prohibited patterns:

Dark pattern Concrete example Why it is not compliant
Unbalanced interface Prominent green «Accept» button; «Reject» as grey text with no button Does not guarantee freedom of choice; biases towards acceptance
Pre-ticked options All cookie categories checked by default in the configuration panel GDPR requires affirmative action; silence is not consent
Multi-step rejection Accept: 1 click; Reject: 3 clicks and confirmation Rejection must be as easy as acceptance
Misleading language «Use essential cookies» presented as the only apparent alternative to «Accept all» Incomplete information; consent cannot be informed
Repeated re-prompting The banner reappears on every visit even though the user already rejected Pressures the user to accept through fatigue

What must the cookie policy (second layer) contain?

The full cookie policy — accessible from the banner and from the footer — must detail for each cookie or category of cookies:

Keeping this list up to date is an ongoing obligation: every time an analytics, advertising or chat tool is added or changed on the website, the cookie policy must be reviewed and updated.

What is consent logging and why does it matter?

Article 7(1) of the GDPR states that «the controller shall be able to demonstrate that the data subject has consented to processing». This is known as the accountability principle. In practice, the consent management platform (CMP) you use must record for each user:

If the AEPD opens an investigation or a user exercises their right of access asking what consents have been recorded, you must be able to prove it. CMP solutions such as Cookiebot, OneTrust or Axeptio store this log automatically; implementing a banner without a CMP and without a log may be sufficient for the AEPD to consider that consent is not verifiable.

What fines can the AEPD impose for cookie non-compliance?

Infringements related to cookie consent have a dual sanctioning basis:

In practice, AEPD sanctions against Spanish SMEs for non-compliant cookie banners have ranged from €3,000 to €150,000, depending on intent, number of users affected, duration of the infringement and cooperation with the AEPD. The AEPD may also order the deletion of data collected without valid consent, which can have a greater operational impact than the financial penalty for companies that base their model on behavioural data.

How often must user consent be renewed?

The AEPD Guide states that consent does not last indefinitely. As an indicative rule, it suggests that after 24 months since the user gave consent without having interacted with the banner again, it is reasonable to request it again to verify that the user's intent is unchanged. Equally, if the cookie policy changes substantially (new purposes, new third parties, change in international transfer basis), earlier consent may not cover the new circumstances and should be renewed.

How do we help at Summum Consultoría?

Making a cookie banner and policy compliant is not just a writing exercise: it involves auditing the actual cookies the website installs (which are often more than the operator is aware of), correctly configuring the consent management platform and keeping it updated as the site's technology stack changes. At Summum Consultoría we carry out the full technical and legal analysis: cookie scan, policy drafting, CMP configuration and training for the team responsible for the website.

If you also need to review all your website's obligations under the LSSI and GDPR — legal notice, privacy policy, terms of sale — you can read our article on legal requirements for an online shop. And if your organisation is required to appoint a DPO or wants to outsource that role, we explain the criteria in our guide on external DPO: when it is mandatory.

Frequently asked questions

Does an informational website without a shop also need a cookie banner?

Yes, if it installs cookies that are not strictly necessary for the service. Most informational websites use Google Analytics, social media buttons or tracking pixels that activate third-party cookies. In all these cases, prior consent is required regardless of whether there are economic transactions on the site.

Can I still count visits if the user rejects cookies?

Yes, but in a limited way. There are traffic measurement methods that do not use cookies or persistent identifiers and therefore do not require consent: server-side analytics based on logs, visit counters without user identification or tools such as Matomo configured in cookieless mode. These methods provide less granular metrics than GA4, but are compliant without needing a consent banner for that specific function.

What about social media cookies installed by share buttons?

Share buttons from Facebook, X, LinkedIn or Instagram that load those platforms' scripts install third-party cookies as soon as the user loads the page, before pressing the button. To avoid this without giving up the buttons, two-click or deferred-loading solutions exist: the button does not activate the script until the user clicks on it (or until consent has been given for that category). This configuration is the only compliant option if the user has not consented to social media cookies.

Is installing a cookie plugin on WordPress sufficient?

It depends on the plugin and its configuration. Many WordPress cookie plugins generate a banner but do not effectively block cookies before the user consents: they install Google Analytics or Meta cookies on the first page load, before the banner appears. To be compliant, the plugin must implement prior blocking, compatibility with Google Consent Mode and an auditable record of user preferences. A technical audit is necessary to confirm that the chosen plugin meets these requirements in practice.