Cookie Compliance: Valid Consent, Not Just a Banner

Cookie compliance in Spain is governed by Article 22(2) of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), read in conjunction with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the AEPD's Cookie Guidelines (updated 2023). Non-essential cookies — including analytics, advertising, and social media cookies — require prior, freely given, specific, informed, and unambiguous consent before being placed on a user's device; consent obtained through dark patterns (such as a more prominent "Accept" button, or rejecting cookies buried in configuration menus) does not meet the legal standard. The forthcoming ePrivacy Regulation will replace the LSSI-CE cookie provisions at EU level.

Cookie compliance is the area of data protection where the largest gap exists between how businesses perceive their position and the regulatory reality. A cookie banner on a website is not compliance — it is the starting point of a system that, to be valid, must ensure that the consent obtained meets all the requirements of the GDPR and the AEPD’s Cookie Guidelines.

Why Cookie Compliance Matters for Your Business

The AEPD’s updated 2023 Cookie Guidelines set concrete criteria that many current implementations do not meet. The equivalence requirement — that accept and reject options must be equally prominent and accessible in the first layer of the banner — generates the most violations. The common practice of placing an Accept all button on the first layer and making rejection available only through a settings link buried in secondary navigation is expressly contrary to the AEPD guidelines and has resulted in sanctions in recent enforcement decisions.

The technical cookie audit also regularly reveals situations organisations were unaware of: third-party scripts loading before the user has interacted with the banner, cookies setting regardless of the option chosen, or advertising trackers active that the technical team had forgotten and that do not appear in the cookie policy. This technical opacity generates the greatest regulatory risk, because it means the recorded consent does not correspond to the actual processing being carried out.

Our Cookie Compliance Audit and CMP Implementation Process

For companies with advanced digital marketing strategies, cookie compliance does not have to mean abandoning measurement. The correct implementation of Google Consent Mode v2, combined with a properly configured CMP, allows useful conversion measurement to be maintained even when a portion of users rejects cookies — using Google’s data modelling for non-consent sessions. This compliance architecture is what allows businesses to balance the regulatory obligation with the data needs of commercial decision-making.

The pre-consent blocking of third-party scripts is the critical technical control that separates a functioning CMP from a cosmetic one. A banner that records user preferences but fails to block the underlying scripts before consent — a common failure in CMP implementations — provides no actual protection and is easily detected in a technical inspection. We verify the full technical implementation, not just the visual appearance of the consent interface.

Real Results from Cookie Compliance

A correctly implemented cookie compliance system delivers zero AEPD sanctions for clients who maintain it properly. The combination of a technical audit, a correctly configured CMP, and documented consent records is the evidence that regulators look for and that our clients have consistently demonstrated. In the broader context of GDPR compliance, cookie compliance is the most visible interface of a company’s privacy commitment — the one users experience directly and the one supervisory authorities inspect most easily. Our external DPO service provides ongoing oversight to maintain compliance as platforms and regulations evolve.

Preparing for ePrivacy and the Regulatory Road Ahead

The ePrivacy Regulation has been delayed repeatedly, but its eventual entry into force will require material changes to consent systems, electronic communications metadata handling, and digital advertising rules. Organisations that build their consent infrastructure correctly now — with a well-structured CMP, documented consent records, and a modular architecture — will adapt far more easily when the Regulation finally applies. Privacy by design integration ensures cookie compliance does not operate in isolation from your broader privacy framework.

Google Analytics, Google Ads, and Meta Pixel: The Most Frequent Cases

Analytics and digital advertising tools are the most common sources of cookie compliance violations. Understanding their specific requirements is essential for any company running digital marketing operations in Spain and Europe.

Google Analytics 4 (GA4). GA4 uses first-party cookies and sends data to Google servers in the United States. Following the Schrems II judgment (C-311/18) and decisions by multiple European supervisory authorities (Austria, France, Italy, Belgium), the transfer of European user data to Google without additional safeguards has been declared unlawful in several jurisdictions. Using GA4 without explicit consent or without a server-side tagging solution that anonymises data before transmission can generate GDPR liability. Google Consent Mode v2 is the recommended technical mechanism for maintaining measurement capability compatible with compliance.

Google Ads conversion pixels. Conversion pixels triggered after a purchase or form submission are third-party cookies that require prior consent if the user has not accepted marketing cookies. Many incorrect implementations fire the conversion pixel on the conversion event without verifying whether the user has consented to marketing cookies. The correct implementation must be conditional on the consent state in the CMP.

Meta Pixel (Facebook Pixel). The Meta Pixel installs tracking cookies and can activate retargeting functionality. It requires explicit prior consent in any European context. Server-side integration (CAPI — Conversions API) allows reduced reliance on browser cookies and improved measurement while maintaining compliance.

Choosing the Right Consent Management Platform (CMP)

The choice of CMP has a direct impact on compliance and on marketing performance. Not all CMPs are equivalent: some lack the granularity needed to manage consents by purpose, others do not generate auditable consent records, and some are not correctly integrated with Google Consent Mode v2.

CMPs certified by IAB Europe under the Transparency & Consent Framework (TCF 2.2) offer a level of standardisation that simplifies integration with digital advertising platforms. However, TCF 2.2 is under scrutiny from several European data protection authorities, and its use does not automatically satisfy GDPR requirements.

Our team evaluates the most appropriate options for each company’s technical and business profile: Cookiebot, OneTrust, Usercentrics, CookieYes, or custom implementations. The selection considers traffic volume, marketing stack complexity, and the documentation requirements of the outsourced DPO.

Dark Patterns and the Risk of Manipulative Design

The AEPD and the European Data Protection Board (EDPB) have published specific guidelines on dark patterns in privacy interfaces. The most frequently sanctioned patterns are: an “Accept all” button in a prominent colour alongside a grey or smaller “Reject” option; the absence of a rejection option in the first layer of the banner (forcing the user to enter “Manage settings” to decline); pre-ticking of cookie categories; and treating the closure of the banner via the X button as acceptance.

A compliant banner design is technically neutral: the accept and reject options are equally accessible and the text is clear about the consequences of each choice. This standard is compatible with good UX design. We coordinate with design and development teams to implement banners that comply without penalising user experience or consent rates.