Earlier this year, the Spanish Data Protection Agency (AEPD) released updated guidelines on the use of cookies, which included new information and guidance for organizations, specifically regarding the use of analytics cookies and the conditions under which they might be exempt from requiring consent.


Companies are expected to be compliant since January 11th, 2024. In this article, we cover the basic definition of what an “analytic cookie” entails, what the rules in Spain are according to the AEPD, and how you can get started with Didomi. 






What are analytics cookies, and what are they used for?


Analytics cookies, sometimes called performance and measurement cookies, are small text files that are sent to your device while you are on a website to collect information about your usage and help the website provider improve features and services.


Analytics cookies can track metrics such as:


  • Number of users on a website

  • Average session length 

  • Website pages visited

  • etc.


While analytics cookies require user consent according to the General Data Protection Regulation (GDPR) and the ePrivacy Directive based on most interpretations, some data protection authorities consider that exemptions can be granted when certain conditions are met.


Guidance on the use of analytics cookies in Spain


The Spanish Data Protection Agency (AEPD) recently released a Guide on the Use of Cookies for audience measurement tools. This documentation is an addition to the existing Guide on the use of Cookies and introduces conditions under which measurement and analytical activities can be conducted without requiring user consent.


The AEPD, following the example of the French data protection authority (CNIL), has identified specific uses of cookies that are deemed strictly necessary for service provision and may be exempt from consent. These include:


  • Audience measurement

  • Determination of device type, browser, and screen size

  • Page load time statistics

  • Statistics on user actions


To qualify for this exemption, you must fulfill the 3 following requirements:


  • Inform your users of the use of these cookies through your privacy policy

  • Limit the cookies' lifespan to 13 months without automatic renewal on new visits

  • Ensure data retention does not exceed 25 months. 


If you are using a service provider for audience measurement, additional guarantees must be met, including a documented evaluation of tool configuration, a contractual commitment not to reuse data, and compliance with GDPR for data transfers outside the EU.


To read the full report from the AEPD, head to the data protection authority’s website:


Read the AEPD guide


How Didomi can help you get started with cookie collection compliance in Spain 


Whether or not you’re already a Didomi customer using our Consent Management Platform (CMP), these updates do not necessarily require immediate changes to your CMP setup. 


Most of the setup required takes place in your analytics solution, which you need to assess to determine whether it fits the AEPD requirements and can be exempted from consent. Then, it’ll only be a matter of adding the required vendor and related purpose in your CMP and communicating with your users in your consent banner.


Some analytics tools can be configured to be exempted from consent collection for audience measurement and analytics use cases. While the AEPD has not communicated with specific names yet, the French DPA (CNIL), which outlines similar guidelines surrounding analytics cookies, issued a list last year with the names of over 20 analytics solutions that fit their criteria (in French).


To discuss your CMP and analytics implementation and how to ensure compliance with the latest AEPD requirements, book a time with our team:


Talk to an expert


Frequently Asked Questions (FAQ)


Do analytics cookies require consent in Spain?

It depends. Under certain conditions, analytics cookies can be exempt from consent.


How do I determine if my analytics cookies can be exempt from consent under the new AEPD guidelines?

To determine if your analytics cookies can be exempt from consent, you need to ensure they meet the specific conditions set by the AEPD. These include:


  • Using cookies strictly for audience measurement
  • Limiting their lifespan to 13 months without automatic renewal
  • Ensuring data retention does not exceed 25 months. 


Additionally, if you're using a service provider, ensure they comply with GDPR and additional AEPD requirements.


What are the AEPD guidelines for analytics cookies and consent in Spain

Find the updated guidelines from the AEPD here.