Meet Spain's cookie rules under LSSI Article 22.2 and the AEPD's cookie guide
In Spain the "cookie law" is Article 22.2 of Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI-CE), which transposes the ePrivacy Directive and requires prior, informed consent before any non-essential storage or retrieval device is placed on a user's terminal. It works alongside the GDPR and Spain's Ley Orgánica 3/2018 (LOPDGDD), and is interpreted in practice through the Guía sobre el uso de las cookies published by the Agencia Española de Protección de Datos (AEPD). The AEPD both supervises and sanctions cookie compliance, so a site that drops analytics or advertising cookies before the visitor accepts is already outside the law.
Art. 22.2 LSSI-CE: service providers may use cookies only after the user has given consent following clear and complete information about their use.
Applicable laws
Supervisory authority
AEPD
Agencia Española de Protección de Datos (Spanish Data Protection Authority)
www.aepd.esArt. 22.2
LSSI-CE provision requiring prior informed consent for cookies
Ley 34/2002, Artículo 22.2 (BOE-A-2002-13758)
Up to €150,000
Maximum fine for a 'grave' (repeated) cookie infraction under Art. 39 LSSI-CE
Ley 34/2002, Artículos 38–39
€90,000
AEPD fine on Techpump Solutions for repeated cookie breaches (PS/00524/2023)
AEPD Resolución PS/00524/2023
24 months
Maximum recommended interval before consent must be renewed
AEPD, Guía sobre el uso de las cookies (2023)
Under Art. 22.2 LSSI-CE, analytics, advertising and other non-essential cookies may only be placed after the user gives consent. They must not fire on page load, before any interaction with the cookie notice. Strictly technical cookies needed to deliver the requested service are exempt.
The AEPD's cookie guide requires that accepting and rejecting cookies are offered at the same level, in the same prominent place and format, with comparable colour, size and effort. A visible 'Reject all' option must sit alongside 'Accept all'; hiding rejection behind extra clicks is treated as a deceptive pattern.
Sites must explain who uses cookies, for what purposes, retention periods for each type, and the existence of international transfers to third-party providers, before consent is requested. Consent should be granular by purpose, not a single bundled choice.
Users must be able to withdraw consent at any time as easily as they gave it, with a cookie configuration panel that stays permanently accessible during browsing. The AEPD recommends refreshing consent at most every 24 months.
As consent must meet the GDPR standard (freely given, specific, informed, unambiguous), controllers should keep records demonstrating when and how each visitor consented, and be able to evidence what cookies fired before consent.
Spain regulates cookies through Article 22.2 of the LSSI-CE (Ley 34/2002), the national transposition of the ePrivacy Directive. It permits providers to use storage and retrieval devices on a user's terminal only on condition that the user has given consent after receiving clear and complete information about their use and the purposes of processing. Strictly technical cookies that are necessary to provide a service the user has explicitly requested fall outside this consent requirement.
Because consent under Art. 22.2 must reach the standard set by the GDPR and the LOPDGDD (Ley Orgánica 3/2018), it has to be freely given, specific, informed and unambiguous. Implied consent, pre-ticked boxes, or 'continuing to browse' no longer qualify. In practice this means non-essential cookies cannot be set until the visitor has taken a clear affirmative action to accept them.
The Agencia Española de Protección de Datos translates Art. 22.2 into concrete expectations through its Guía sobre el uso de las cookies. The July 2023 update aligned the guide with the EDPB's Guidelines 03/2022 on deceptive design patterns and became fully enforceable from 11 January 2024. It requires that the options to accept and reject cookies appear at the same level and prominence, so refusing is no harder than agreeing.
The guide also expects layered information covering purposes, retention periods and international transfers, a permanently accessible configuration panel, the ability to withdraw consent as easily as it was given, and renewal of consent at most every 24 months. These criteria are the yardstick the AEPD uses when it assesses a complaint or opens a sanctioning procedure against a Spanish website.
CookieSentry's scanner loads your site the way a real visitor in Spain would and flags every cookie and tracker that fires before consent, naming the source — the exact pre-consent loading that breaches Art. 22.2. The free public scan needs no signup, and the exportable report plus PDF evidence give you a record you can act on and keep.
CookieSentry then generates GDPR documents — privacy and cookie policies and processing records — localized to national requirements, so your disclosures reflect the purposes, retention periods and transfers the AEPD expects. CookieSentry is not a consent banner or CMP: keep the banner you already use, and add CookieSentry's pre-consent audit and localized documentation on top.
Los prestadores de servicios podrán utilizar dispositivos de almacenamiento y recuperación de datos en equipos terminales de los destinatarios, a condición de que los mismos hayan dado su consentimiento después de que se les haya facilitado información clara y completa sobre su utilización.
Spain's cookie rule lives in Article 22.2 of Ley 34/2002 (LSSI-CE), which transposes the ePrivacy Directive. It conditions any non-essential storage or retrieval device on prior consent given after clear and complete information.
The Agencia Española de Protección de Datos (AEPD), at https://www.aepd.es, supervises and sanctions cookie compliance and publishes the binding-in-practice Guía sobre el uso de las cookies, last updated in July 2023.
The AEPD actively fines cookie breaches: €90,000 on Techpump Solutions for repeated violations across three sites (Resolución PS/00524/2023) and €5,000 on Massimo Dutti for cookie-policy irregularities under Art. 22.2.
CookieSentry scans your live site and flags every cookie and tracker that fires before consent — the failure AEPD is most likely to act on — and names the source so you can fix it. Run the free public scan to get exportable evidence of what fires before consent, mapped to Spain's rules. It is not a consent banner — keep your banner and add the audit and evidence layer on top.
Cookies are governed by Article 22.2 of the LSSI-CE (Ley 34/2002), Spain's transposition of the ePrivacy Directive, read together with the GDPR and the LOPDGDD (Ley Orgánica 3/2018). It requires prior, informed consent before any non-essential cookie is placed on a user's device.
The Agencia Española de Protección de Datos (AEPD), the Spanish Data Protection Authority, supervises and sanctions cookie compliance. Its Guía sobre el uso de las cookies sets out the practical requirements the AEPD applies when handling complaints and sanctioning procedures.
Yes. The AEPD's cookie guide requires that rejecting cookies is as easy as accepting them, with both options shown at the same level, place and prominence. Making rejection harder than acceptance is treated as a deceptive design pattern and can lead to sanctions.
Under Articles 38–39 LSSI-CE, a cookie infraction is typically 'leve' (up to €30,000), rising to 'grave' (up to €150,000) for repeated breaches. The AEPD has issued real fines, including €90,000 on Techpump Solutions (PS/00524/2023) and €5,000 on Massimo Dutti.
Operating across the EU? The rules differ by market — check the country that applies to you.
Run a free CookieSentry scan on your live pages, catch cookies firing before consent, and export evidence mapped to Spain's rules — no signup required.
Run a free scan →Last reviewed 2026-06-14. General information on Spain cookie rules, not legal advice; verify current requirements with AEPD or qualified counsel.