A company may be sanctioned if its cookie banner makes acceptance easy but does not offer an equivalent way to reject non-essential cookies. Strictly necessary cookies may be used without consent, but analytics, advertising or non-essential personalisation cookies require a free and informed choice.
In this article we will discuss...
What the Spanish Data Protection Authority requires
The AEPD Cookie Guide states that users must be able to accept, configure or reject cookies clearly. The AEPD also announced that the updated criteria had to be implemented by 11 January 2024 in its note on the updated Cookie Guide.
Common cookie banner mistakes
- No reject button in the first layer when an accept button is shown.
- Making rejection less visible than acceptance.
- Forcing users through several steps to reject cookies.
- Using pre-ticked boxes for non-essential cookies.
- Dropping cookies before valid consent is obtained.
- Confusing technical cookies with analytics or advertising cookies.
What a compliant banner should do
The banner should clearly explain who uses cookies, for what purposes and how users can change their decision. If an “Accept” button is shown, users should have an equivalent option to reject or configure cookies without unnecessary friction.
The cookie policy should also identify cookie types, controllers, duration, purposes and how consent can be withdrawn.
Checklist for companies
- Check whether cookies load before consent.
- Make accepting and rejecting equally easy.
- Update the cookie policy with real, specific information.
- Document the consent management configuration.
- Regularly audit third-party cookies, pixels and tags.
Conclusion
Failing to allow users to reject non-essential cookies is one of the most visible compliance problems on a website. A clear and balanced banner reduces sanction risk and improves user trust.




Leave a Reply
Want to join the discussion?Feel free to contribute!