Close this search box.
Close this search box.
Do you know the latest updates on cookies?
Do you know the latest updates on cookies?

Share the news:

What are cookies and how do they work?

What are cookies? Cookies are temporary files that are installed on the device of the user who accesses websites. They usually have several purposes, sometimes for identification and other times to analyse the behaviour or conduct of the individual browsing the Internet. In essence, these types of files provide information about the website user.

Along with cookies, there are other information storage technologies (scripts, tracking pixels or other add-ons) that serve the same purpose.

How do cookies work? In general, cookies are stored on the user’s device when they access websites. When the user returns to said site, cookies enable the website to identify the user’s device and therefore remember the interactions that took place between said device and the website.

What are the regulatory requirements applicable to the use of cookies?

First, it is essential to note that the use of cookies is fundamentally regulated in two legal provisions. On the one hand, Article 22 of the Law on Information Society Services and Electronic Commerce (Law 34/2002, of 11 July, better known as LSSI), which allows the use of cookies or any another data storage and retrieval device, provided that the user has given informed consent to do so. On the other, the General Data Protection Regulation (hereinafter, GDPR) states in its Recital 30 that when the use of a cookie involves the processing of personal data, the data controllers must ensure compliance with personal data protection legislation. A cookie is personal datum of the individual, since it provides information about them.

Based on these provisions, website owners that use cookies must comply with two fundamental requirements: on the one hand, that of transparency, and on the other, that of obtaining user consent for their use. The former represents the duty to inform the subject about the existence of cookies in a concise, transparent and comprehensible manner. The latter means that the user must expressly consent to the installation of these files, and they may revoke said consent at any time (except in the case of technical or strictly necessary cookies).

It is important to remember that there are different types of cookies, such as: technical cookies, analytical cookies, profiling cookies, etc. Moreover, it is essential to keep in mind that technical cookies are the only ones that can be placed on a user’s device without their consent since they are necessary for the proper functioning of the website.

What is a cookie banner (pop-up)?

In terms of data protection, the cookie banner or pop-up is the first layer of information about the cookie processing carried out by a website. In short, the cookie banner is a notice or pop-up window that appears when we access a website.

What are the recent developments on the use of cookies introduced by the Spanish Data Protection Agency (AEPD) in its 2023 Guidelines on Cookies?

In February 2023, the European Data Protection Board (EDPB) published a Report on the requirements that a cookie banner must include. In July 2023, the AEPD updated the Guidelines on the use of cookies to adapt them to said Report, granting website owners a period of six months to meet the requirements of these new Guidelines. The period recently ended on 11 January.

In summary, the changes included are the following:

  • A reject button must be included in the cookie banner, along with the accept and settings buttons. This first layer of information must therefore contain:
  • An “accept” button to consent to the use of cookies.
  • A “reject” button to reject the use of cookies (except for technical or strictly necessary cookies)
  • A “settings” button or visible mechanism that takes users to or displays a settings panel that allows them to accept or reject cookies manually, at least depending on their purpose.
  • These buttons must have the same appearance, meaning that they must have the same formal and visual features for the user (i.e., colour, size, height, etc.). Rejecting cookies cannot be more difficult than accepting them.
  • Likewise, as already established in the previous regulations, cookies must not be pre-ticked. Pre-ticking the box for cookie consent is an illegal action.
  • If the website only uses technical cookies, the cookie banner must state “this website only uses its own cookies for technical or strictly necessary purposes”. Remember that this is the only case when obtaining the user’s consent is not required.
  • What are the steps to follow for legal use of cookies?

As explained previously, if we wish to comply with the regulations on cookies, we should take into account the following tips:

  • The cookie banner is the first layer of information for this processing and it must comply with the duty of information in accordance with the GDPR.
  • • Moreover, all cookie banners on any website must include: (i) “accept” button; (ii) “reject” button, and (iii) button or access to the cookies settings panel. These buttons must have the same features (colour, shape, size, etc.).
  • • The “accept” option cannot be green and the “reject” option cannot be uncoloured or red. Withdrawing consent cannot be more difficult than giving it.
  • Pre-ticked options for accepting cookies to obtain consent are not permitted under any circumstances. This is an illegal action.
  • • Remember that the only case where the user’s consent is not required is when technical or strictly necessary cookies are accepted.

The following two examples of cookie banners comply with current regulations:

Helena Rodríguez Martín
Data Protection Consultant at PONS IP

Do you want to know more?

Some of the journalistic articles included in this website are protected by Copyright. If you wish to carry out the reproduction, distribution, public communication or transformation, in any medium and in any way, of any article with the employees of your company or with external personnel, contact CEDRO to obtain your own authorization ( /

If you liked this content, share it:

Listen to our podcast

“Invention Privileges”

episodio 2
Las marcas en la nueva economía digital
El segundo episodio de nuestro podcast “Privilegios de Invención” está dedicado a uno de los derechos de propiedad industrial más...
episodio 1
Patentes Biotecnológicas
El primer episodio estará dedicado a uno de los grandes campos de la innovación a nivel mundial, uno de los...


All the IP News

in your e-mail

Find out all the latest information on IP to boost the development of your organisation.

Subscribe to our bimonthly newsletter

In compliance with the provisions of the GDPR, the following is informed: Controller: PONS IP, S.A. (A-28750891). Purposes: send of electronic marketing communications related to the activities and services offered by PONS IP. Legitimation: Consent of the interested party [art. 6.1.a) GDPR]. Rights: Access, rectify, delete, limit, or oppose the treatment, request portability and revoke the consent given by sending an email to, including as a reference "EXERCISE OF RIGHTS". More information.
Managing IP Winner
premios Bestlawyer 2022 Iberian
leaders league
logo legal 500
IAM Patent 1000 PONS IP-blue
logo chambers Europe 2021

International Awards

and Recognitions

International Awards and Recognitions