_Cookies_ remain a sensitive topic for any digital product. In 2025, Spain’s data authority has refined its criteria on what counts as valid consent and how to ensure genuine user control. This article—aimed at startup founders, product managers and legal teams—recaps what was already mandatory and then sets out, in detail, what’s changed, plus how to implement it in a banner design and technical architecture that stands up to scrutiny.
The basic rule hasn’t moved: no non-essential cookie (analytics, advertising, non-essential personalization, A/B testing, social pixels, tracking SDKs) may be fired before the user explicitly consents. Consent must be freely given, informed and specific, arising from a clear affirmative action; simply continuing to browse, scrolling, or doing nothing doesn’t count. You must provide layered information: a concise first-layer notice and a full, accessible and understandable cookie policy.
Equally important is reversibility: the user must be able to withdraw consent as easily as it was given. In practice, this requires a permanent, visible way to access cookie settings and, on withdrawal, the site must stop processing and delete any non-essential cookies already placed. At the same time, the organisation should be able to evidence what the user agreed to and when—without turning that record into a new tracking vector.
Your first-layer banner must present two equivalent decisions: accept and reject. Equivalent means the same visual hierarchy, the same prominence, and the same number of clicks. If “Accept” is large, high-contrast and immediately accessible, “Reject” cannot be hidden behind an extra step, washed out in low-contrast colours, or rendered smaller. The goal is simple: rejecting cannot be harder than accepting.
Alongside those two choices, the banner must let users configure their decision. That third path should open—without detours—the preference panel: people shouldn’t have to wade through paragraphs before reaching the controls.
Consent is no longer “all or nothing”. Users should be able to choose by purpose (analytics, personalization, advertising, etc.) and, where feasible, by provider. Pre-ticked boxes are out: each toggle must start off, except for technical cookies that are exempt and don’t require consent. When the user finishes, there must be a clear “Save” button and a visible confirmation that their choice has been applied.
You must also provide a permanent link or icon (“Manage cookies”, “Privacy preferences”…). A banner that appears only once and then vanishes isn’t enough: people must be able to review and change their decision at any time.
Here’s a nuance that reduces friction if applied well. If personalization stems from an explicit user choice (selecting language, dark mode, font size, column layout, currency) and the cookie only remembers that preference to deliver what was asked for, it’s a technical cookie and does not require consent. That avoids ruining UX for pure formalities.
It’s different when personalization is decided by the publisher without an explicit request. If the site adapts content by default based on prior behaviour or geolocation, that is a purpose that does require consent. And in all cases, a cookie set to remember a preference cannot be repurposed for something else (like marketing or profiling): that would change the legal basis.
Translation for e-commerce and SaaS: remembering the language or currency the user chose is technical; recommending products based on past browsing is not and requires consent.
A very limited exception allows basic site usage measurement without consent, but only if all of the following conditions are met—no shortcuts:
- The purpose is exclusively statistical and data are collected for the publisher, not for the tool provider’s own interests.
- Outputs are aggregated (no individual profiles), data are not combined with other processing, not disclosed to third parties, and do not enable cross-site tracking (no shared identifiers across multiple domains).
- Time limits apply: cookie lifetime of no more than 13 months and retention of statistical data for no more than 24–25 months.
- This practice is clearly explained in the cookie policy (what you measure, how, and under which constraints).
In a startup’s reality, many popular analytics suites don’t meet this by default. If your provider drops third-party identifiers, mixes data across clients, or uses information for its own purposes, there is no exemption—you must ask for consent. Alternatives include self-hosted/first-party analytics or privacy-friendly services you can configure to these limits with contractual and technical safeguards.
The so-called “consent or pay” model can be valid, but it isn’t a free pass. It only works if people have a genuine alternative to tracking: access equivalent in content and quality, offered by the same publisher, clearly explained and without pressure. The paid option cannot be a degraded service or a maze that effectively forces acceptance. For media or marketplaces, this means revisiting pricing, UX and messaging: if the trade-off is honest and transparent, it can hold; if you degrade or bury the alternative, it likely won’t.
Authorities have already sanctioned situations where, after pressing “Reject”, third-party cookies remained active or scripts kept firing. A pretty button isn’t enough: your technical mechanism must stop processing and delete non-essential cookies already set. This requires testing real scenarios—first visit, return after accepting then revoking, authenticated and anonymous flows, different browsers—and checking that blocking and clean-up always work.
Start with a short audit: inventory cookies, SDKs and tags by environment (production, staging, landing pages), provider and purpose. Separate technical/exempt from consent-required and map dependencies: if a tag manager trigger fires another tag, you’ll only control both if the trigger is conditioned on consent state.
Redesign the first layer with three visible options from the outset: _Accept_, _Reject_ and _Configure_. The second layer should open straight to a control panel, not pages of text. Avoid biased language and “nudging” colours. Check that reject takes no more steps than accept.
If you want to measure without consent, select or configure analytics to meet every condition of the exemption, including time limits and the ban on cross-domain tracking. If you don’t fit, request consent and be clear in your policy: what you measure, why, and for how long.
Keep a strict boundary between technical personalization (user choices merely remembered) and editorial personalization (proactive adaptation): the former doesn’t need consent; the latter does and cannot be disguised as technical.
Provide a permanent link to reopen the panel and document the preference state (with a non-traceable identifier and timestamp per category, without turning it into new tracking). Plan regular tests: clear cookies, simulate user paths, and ensure there are no leaks—a pixel that fires too early, a mobile SDK ignoring the state, an orphan tag in your tag manager.
If you’re considering “pay or okay”, ensure the no-tracking alternative is equivalent, that it’s offered by your own service, and that communication is crystal-clear. Review pricing, how often the prompt appears, and UX: if users need a PhD to find the no-cookies option, it won’t fly.
Can “continue browsing” count as consent?
No. A clear affirmative action is required: pressing “accept” or enabling categories in the panel.
How granular do we need to be?
At least by purpose. If you also allow choice by provider within a purpose, even better. What’s not allowed: pre-ticked boxes or vaguely worded categories.
Is blocking in the tag manager enough?
Only if every tag that triggers non-essential processing depends on consent state. A poorly conditioned tag or a hard-coded script outside the manager breaks control.
Does a big vendor’s “Consent Mode” save me from asking consent?
Not by itself. It can help modulate behaviour when there’s no consent, but if the tool uses identifiers or has its own purposes, you’ll still need the user’s “yes”.
How long can we store “exempt” analytics data?
A practical reference is cookie life ≤ 13 months and data retention ≤ 24–25 months, and only for aggregated statistics of your own site.
What about mobile apps?
Same principle: if an SDK isn’t technical, it must not initialise without consent. Ensure iOS/Android SDKs respect state from first launch.
Do we have to record consent?
It’s advisable to keep a lightweight proof (per-purpose preferences, timestamp, and a non-traceable identifier) for inspections—without turning that record into new tracking.
Designs that hide the reject option, third-party cookies firing before any choice, panels that don’t provide real control, “exempt” analytics that actually share data or track across sites, and revocations that don’t delete what’s already set are classic compliance failures. Avoiding them is largely honest design plus a well-wired technical chain.
---
The 2025 message is clear: real choice, continuous control, and restrained traces. A symmetric banner, a usable granular panel, audience measurement under strict limits or backed by consent, correctly classified personalization, and revocation that stops and deletes are now table stakes for any serious product. For a startup, doing this well means less regulatory friction, less technical debt, and more user trust. If you tune design and architecture now, you’ll be ahead of the curve at review time—and you’ll improve your customer experience along the way.
Are you starting a business? Discover step-by-step instructions on how to create a limited company in Spain: legal procedures, registration, tax identification number (NIF), and bylaws.
Read more →
Discover how to launch your business project on a solid legal foundation. We analyze taxes, licenses, contracts, and legal structures to avoid errors and grow safely.
Read more →
What is a digital will in Spain? Learn how it's regulated under the LOPDGDD (Spanish Data Protection Act) and how you can organize your digital legacy through a sealed will.
Read more →