In 2025, cookie consent is still causing confusion; Google's Consnet Mode V2, Microsoft UET, etc.
After providing an overview of the legal framework regulating cookie consent, we’ll break down all the available methods in detail, along with their characteristics, so you can decide which one works best for you. We’ll also go over other key aspects, such as the obligations of businesses using multi-purpose cookies or consent requirements for minors under 14. If you want to navigate the digital space with awareness… keep reading!
For the use of non-exempt cookies, obtaining user consent is always required; otherwise, the AEPD can impose fines, as stated in the Law on Information Society Services and Electronic Commerce, in force since 2002.
Exempt cookies are those with specific purposes that do not require the same level of protection as non-exempt cookies, as they are considered harmless regarding user data protection. Examples of exempt cookies include:
For all other types of cookies, consent is mandatory under Article 22.2 of the LSSI. This includes both first- and third-party cookies, as well as session and persistent cookies.
At this point, it’s crucial to remember that multi-purpose cookies (those serving more than one function) must use separate cookies for each purpose. A single cookie cannot be used interchangeably for both an exempt and a non-exempt purpose. This means that cookies should only be used if all grouped purposes are accepted. If a cookie serves two purposes but the user consents to only one, the cookie should not be used unless the cookie manager is aware and processes it accordingly.
When websites are specifically targeted at minors, additional measures should be adopted, such as using simpler and clearer language. Furthermore, the data controller must verify that parental or guardian consent has been obtained—for example, by incorporating a distinct banner.
Psst! Don’t know where to start? No worries—at Lawwwing, we’ve got you covered. If you have any doubts, just reach out!
Let’s get to it!
Understanding that compliance with cookie regulations revolves around consent is key. Consent can be explicitly given, such as by clicking a button that says "I consent," "I accept," or similar wording. It can also be inferred from a clear and specific user action, as long as they have been provided with clear and accessible information about the purpose of the cookies and whether they will be used by the website itself or third parties. However, mere inaction by the user can never be considered consent.
Luckily, there are multiple ways to obtain user consent while ensuring compliance. As we’ve emphasized in previous articles, users must always be given the option to reject cookies with the same visibility and prominence as the option to accept them.
Users can be asked to consent to non-exempt cookies when signing up for a service, provided that this consent is presented separately and is not bundled with the acceptance of terms and conditions, privacy policies, or general service agreements.
For example, this method can be applied when users create an account on a website or before they download audiovisual content.
Many websites and mobile apps allow users to personalize their experience by selecting preferences such as language, font type, or background color. Cookie consent can be integrated into this customization process, storing user-selected preferences.
A familiar example? Just like when your phone asks for permission to access your gallery or calendar—same logic applies to cookies!
A CMP is a tool that can be installed on a website or app to help cookie managers comply with information and consent requirements.
But beware—not just any CMP will do!
The Spanish Data Protection Agency (AEPD) has set specific obligations for these platforms, which must undergo audits or reviews to verify compliance.
Lawwwing is a Google-certified CMP, so using our plugin ensures compliance across the board. CMPs are the preferred choice among web designers, digital advertisers, and marketing professionals because they provide flexibility and streamline cookie management.
With a layered consent model, the first layer must include the consent request along with essential information. The user gives or denies consent through a clear action after receiving sufficient information. The second layer provides continuous details about cookie usage and how to configure or reject them.
Consent can be obtained, for example, via a visible accept button alongside a reject button. This information should be displayed in an easily noticeable format, such as a banner or bar—ideally at the top of the page to ensure visibility.
On devices with smaller screens, the size and content of the first layer should be adapted accordingly. However, this method requires significant time and effort to implement properly.
The best option for users. For this option to be valid, browser settings must allow users to express their consent to the use of cookies in accordance with the GDPR and EDPB guidelines. Consent must be specific to each intended purpose. The identification of data controllers does not need to include the full legal name; the brand name or public name is sufficient.
However, there is a drawback to this system: while browser settings are a valid way to obtain consent, they should not be the only mechanism for users to refuse or revoke it. The website owner must provide users with a way to reject or withdraw consent directly through the website or inform them about third-party tools that use cookies so they can withdraw their consent as easily as they granted it.
Ultimately, everything depends on what cookies you use and, most importantly, their purpose. A CMP solution is the best option for website owners—whether you work in digital marketing, online advertising, or simply run a business website.
If you have any questions, feel free to reach out—we’ll be happy to help!
