Do analytics cookies require consent in Spain? Update from the AEPD

Earlier this year, the Spanish Data Protection Agency (AEPD) released updated guidelines on the use of cookies, which included new information and guidance for organizations, specifically regarding the use of analytics cookies and the conditions under which they might be exempt from requiring consent.

Companies are expected to be compliant since January 11th, 2024. In this article, we cover the basic definition of what an “analytic cookie” entails, what the rules in Spain are according to the AEPD, and how you can get started with Didomi.

Summary

What are analytics cookies, and what are they used for?
Guidance on the use of analytics cookies in Spain
How Didomi can help you get started with cookie collection compliance in Spain
Frequently Asked Questions (FAQ)

What are analytics cookies, and what are they used for?

Analytics cookies, sometimes called performance and measurement cookies, are small text files that are sent to your device while you are on a website to collect information about your usage and help the website provider improve features and services.

Analytics cookies can track metrics such as:

Number of users on a website
Average session length
Website pages visited
etc.

While analytics cookies require user consent according to the General Data Protection Regulation (GDPR) and the ePrivacy Directive based on most interpretations, some data protection authorities consider that exemptions can be granted when certain conditions are met.

Guidance on the use of analytics cookies in Spain

The Spanish Data Protection Agency (AEPD) recently released a Guide on the Use of Cookies for audience measurement tools. This documentation is an addition to the existing Guide on the use of Cookies and introduces conditions under which measurement and analytical activities can be conducted without requiring user consent.

The AEPD, following the example of the French data protection authority (CNIL), has identified specific uses of cookies that are deemed strictly necessary for service provision and may be exempt from consent. These include:

Audience measurement
Determination of device type, browser, and screen size
Page load time statistics
Statistics on user actions

To qualify for this exemption, you must fulfill the 3 following requirements:

Inform your users of the use of these cookies through your privacy policy
Limit the cookies' lifespan to 13 months without automatic renewal on new visits
Ensure data retention does not exceed 25 months.

If you are using a service provider for audience measurement, additional guarantees must be met, including a documented evaluation of tool configuration, a contractual commitment not to reuse data, and compliance with GDPR for data transfers outside the EU.

To read the full report from the AEPD, head to the data protection authority’s website:

How Didomi can help you get started with cookie collection compliance in Spain

Whether or not you’re already a Didomi customer using our Consent Management Platform (CMP), these updates do not necessarily require immediate changes to your CMP setup.

Most of the setup required takes place in your analytics solution, which you need to assess to determine whether it fits the AEPD requirements and can be exempted from consent. Then, it’ll only be a matter of adding the required vendor and related purpose in your CMP and communicating with your users in your consent banner.

Some analytics tools can be configured to be exempted from consent collection for audience measurement and analytics use cases. While the AEPD has not communicated with specific names yet, the French DPA (CNIL), which outlines similar guidelines surrounding analytics cookies, issued a list last year with the names of over 20 analytics solutions that fit their criteria (in French).

To discuss your CMP and analytics implementation and how to ensure compliance with the latest AEPD requirements, book a time with our team:

Frequently Asked Questions (FAQ)