Companies are expected to be compliant since January 11th, 2024. In this article, we cover the basic definition of what an “analytic cookie” entails, what the rules in Spain are according to the AEPD, and how you can get started with Didomi.
What are analytics cookies, and what are they used for?
Analytics cookies, sometimes called performance and measurement cookies, are small text files that are sent to your device while you are on a website to collect information about your usage and help the website provider improve features and services.
Analytics cookies can track metrics such as:
Number of users on a website
Average session length
Website pages visited
While analytics cookies require user consent according to the General Data Protection Regulation (GDPR) and the ePrivacy Directive based on most interpretations, some data protection authorities consider that exemptions can be granted when certain conditions are met.
Guidance on the use of analytics cookies in Spain
The AEPD, following the example of the French data protection authority (CNIL), has identified specific uses of cookies that are deemed strictly necessary for service provision and may be exempt from consent. These include:
Determination of device type, browser, and screen size
Page load time statistics
Statistics on user actions
To qualify for this exemption, you must fulfill the 3 following requirements:
Limit the cookies' lifespan to 13 months without automatic renewal on new visits
Ensure data retention does not exceed 25 months.
If you are using a service provider for audience measurement, additional guarantees must be met, including a documented evaluation of tool configuration, a contractual commitment not to reuse data, and compliance with GDPR for data transfers outside the EU.
To read the full report from the AEPD, head to the data protection authority’s website:
How Didomi can help you get started with cookie collection compliance in Spain
Whether or not you’re already a Didomi customer using our Consent Management Platform (CMP), these updates do not necessarily require immediate changes to your CMP setup.
Most of the setup required takes place in your analytics solution, which you need to assess to determine whether it fits the AEPD requirements and can be exempted from consent. Then, it’ll only be a matter of adding the required vendor and related purpose in your CMP and communicating with your users in your consent banner.
Some analytics tools can be configured to be exempted from consent collection for audience measurement and analytics use cases. While the AEPD has not communicated with specific names yet, the French DPA (CNIL), which outlines similar guidelines surrounding analytics cookies, issued a list last year with the names of over 20 analytics solutions that fit their criteria (in French).
To discuss your CMP and analytics implementation and how to ensure compliance with the latest AEPD requirements, book a time with our team:
Frequently Asked Questions (FAQ)
Do analytics cookies require consent in Spain?
It depends. Under certain conditions, analytics cookies can be exempt from consent.
How do I determine if my analytics cookies can be exempt from consent under the new AEPD guidelines?
To determine if your analytics cookies can be exempt from consent, you need to ensure they meet the specific conditions set by the AEPD. These include:
- Using cookies strictly for audience measurement
- Limiting their lifespan to 13 months without automatic renewal
- Ensuring data retention does not exceed 25 months.
Additionally, if you're using a service provider, ensure they comply with GDPR and additional AEPD requirements.
What are the AEPD guidelines for analytics cookies and consent in Spain
Find the updated guidelines from the AEPD here.