Understanding the recent guidance by the Spanish Data Protection Authority on analytics cookies | Fieldfisher
Skip to main content

Understanding the recent guidance by the Spanish Data Protection Authority on analytics cookies


United States


In this episode of Fieldfisher's Bytesize Legal Updates podcast, Pardeep Dhanoya and Andrea Ortega discuss the recent guidance issued by the Spanish Data Protection Authority (DPA) on analytics cookies and its implications for businesses. Under the EU and UK cookie rules, only strictly necessary cookies are exempt from the requirement to obtain prior consent from users. Analytics cookies are not considered strictly necessary; thus, companies must provide information and obtain consent from users.

The guidance from the Spanish DPA builds upon the previous work of the European Data Protection Board (EDPB) and the Article 29 Working Party. It introduces an additional exemption for cookies that are strictly limited to first party anonymized and aggregated statistical purposes, which present limited privacy risk. Some European data protection authorities, including those in France, Italy, and Luxembourg, have already supported this exemption. The Spanish DPA's recent guidance aligns with these opinions.

To qualify for the exemption under the Spanish guidance, cookies used for obtaining traffic or performance statistics must meet specific conditions. Firstly, they must be strictly limited to measuring the audience of the website or application. Secondly, the processing of these cookies must be carried out exclusively by or on behalf of the website or application publisher/owner, producing anonymous statistical data only. The cookies must not allow aggregate tracking of user navigation or be used for other purposes or transmitted to third parties.

The guidance provides examples of analytics cookies that are exempted from the consent requirement. These include cookies that determine a user's device type, browser, screen size, page load time statistics, time spent per page, bounce rate, scroll depth per page, and geographic area of origin of requests. The guidance also outlines minimum guarantees for consent-exempted analytics cookies, such as providing notice to users, limiting the lifetime of the cookies, and ensuring compliance with the requirements set by the Spanish DPA.

The key takeaways from this guidance for businesses are that analytics cookies can be exempted from the consent requirement if they meet the conditions set by local DPAs. It is crucial for companies to ensure their service providers comply with the EU UK cookie rules, including the GDPR & E Privacy Directive and local requirements. Non-compliance with cookie rules is being actively addressed by data protection authorities, as seen in the UK where an AI solution is being developed to identify non-compliant websites. Companies should also be aware that privacy activists and users are increasingly filing complaints regarding cookie compliance. To stay compliant, businesses need to act and keep updated with regulatory guidance.

In conclusion, the recent guidance from the Spanish DPA clarifies the requirements for cookies and their exemption from the consent requirement. It is essential for businesses to understand these guidelines and ensure compliance to avoid potential penalties and complaints. Stay informed about developments in cookie regulations and continue to prioritise data protection and privacy in your online practices.

Thank you for joining us for this episode of Bytesize Legal Updates!

Listen to the full episode on your podcatcher of choice and subscribe to the Bytesize Legal Updates series.

Sign up to our email digest

Click to subscribe or manage your email preferences.


Related Work Areas