The Spanish Data Protection Authority Agency (“AEPD”) recently updated its cookie guidance, which now requires a “reject” button in the first layer of cookie banners.

Previously, the AEPD did not require a “reject” option in the first layer of information. This is commonly referred to as the cookie banner. The option to reject any cookies being installed on devices could be provided in the second layer of information or cookie settings.

The majority of European Union (“EU”) Supervisory Authorities consider the approach of a cookie banner without a “reject” option alongside an “accept” option as an infringement of the ePrivacy Directive. This was also reflected in the report issued by the European Data Protection Board’s (“EDPB”) Cookie Banner Taskforce in January 2023.

The updated guidance aligns with the Cookie Banner Taskforce report and the EDPB’s Guidelines on deceptive patterns, which was adopted in February 2023. This change introduces a stricter criterion, requiring the inclusion of a “reject” button in cookie banners.

The guidance includes examples of adequate cookie banners and sets out that both options (that is “accept all” and “reject all”) must be presented to the user at the same time, at the same level and with the same visibility. Colour or contrast of the text and buttons must not lead users to provide consent involuntarily. 

Personalized cookies and cookies walls are also addressed in the updated cookie guidance of the AEPD. If a website editor decides about the personalization cookies based on information obtained from the user, the user must be informed and offered the option to accept or reject these cookies. Furthermore, while cookies walls are not allowed, there may be instances where not accepting the use of cookies would prevent access to the website or service, as long as the user is informed and is offered an alternative to access the services without the need to accept the use of cookies. This does not necessarily have to be free of charge.

This updated cookie guidance of the Spanish Regulator follows the approach of the French and Belgium Supervisory Authorities and the British Information Commissioner’s Office (“ICO”). Looking ahead, updates from various other EU Supervisory Authorities will be closely monitored to determine if a similar approach will be adopted in other EU Member States.

Does your organization have any questions about cookies? Contact us, the Experts in Data Privacy at for assistance.