GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now

In 2026, Spain's data protection authority sanctioned Yoti Ltd, a British digital identity and age verification company, in a case involving biometric data, retention periods, and consent failures. Public reporting on the decision states that part of the penalty related specifically to invalid consent obtained through pre-ticked checkboxes. Yoti has publicly confirmed that it was sanctioned by the AEPD and says it has begun an appeal process. See Yoti sanction reporting and Yoti response.

That is what makes consent dangerous.

It often looks small - a checkbox, a cookie banner, a newsletter opt-in, a form field. But if the person did not clearly choose it, understand it, and have a real way to refuse or withdraw it, that small design decision can become evidence of non-compliance.

For Spanish businesses in 2026, GDPR consent is no longer just a website detail. It affects how you collect leads, send marketing emails, use cookies, configure Google tools, process minors' data, and prove accountability if the AEPD ever asks questions.

This guide breaks down what valid GDPR consent means in Spain, where businesses commonly get it wrong, and what you should update now.This article goes deeper into the consent problem.

The Real Problem With GDPR Consent in 2026

Most Spanish businesses do not fail at consent because they ignore GDPR completely.

They fail because consent is treated like a design element instead of a legal control.

A banner is added. A checkbox is inserted. A privacy policy is linked. A marketing tool is connected.

And the business assumes everything is covered.

But GDPR consent is not about whether a form exists. It is about whether the person had a real, informed, specific, and provable choice.

That difference matters.

Because if your cookie banner pushes people toward "Accept all," if your newsletter consent is hidden inside another form, or if your Google tags fire before the visitor chooses, the issue is not just user experience. It is compliance.

What Counts as Valid GDPR Consent?

Under GDPR Article 4, consent must be freely given, specific, informed, and unambiguous. The person must take a clear affirmative action that shows they agree to the processing of their personal data. The EDPB consent guidelines expand on how that standard should be interpreted in practice.

Simple on paper.

Much harder in practice.

Consent Must Be Freely Given

A person must be able to say no without being unfairly blocked, pressured, or punished.

For example, if a website forces visitors to accept advertising cookies before they can access normal content, the consent may not be truly free.

The same issue appears when businesses make optional marketing consent feel mandatory.

A course registration form may need an email address to create the learner account. But that does not automatically mean the person has agreed to receive promotional campaigns.

That is the line businesses need to respect.

Necessary processing is one thing. Optional consent is another.

Consent Must Be Specific

One checkbox should not cover five different purposes.

This is where many forms become risky.

A weak version says:

"I accept the privacy policy and agree to receive communications."

That sounds normal. But it bundles too much together.

What communications? From whom? For what purpose? Is it service information or marketing? Can the person refuse marketing and still submit the form?

A stronger approach separates the purposes clearly:

• Account or service communication - needed to deliver the service.
• Marketing emails - optional promotional consent.
• Analytics cookies - optional website measurement consent.
• Advertising cookies - optional tracking, remarketing, or personalization consent.

The more specific the purpose, the easier it is to prove what the user actually agreed to.

Consent Must Be Informed

People cannot consent to something they do not understand.

That does not mean every form needs a wall of legal text. In fact, too much legal wording can make the choice less clear.

A good consent message tells the user:

• Who is collecting the data
• What they are agreeing to
• Why the data is being used
• Whether third parties are involved
• How they can withdraw consent
• Where they can read more

The best consent wording is short, plain, and connected to a clear privacy notice.

Consent Must Be Unambiguous

Silence is not consent. Inactivity is not consent. A pre-ticked box is not consent. A hidden opt-out is not consent.

The person must actively choose.

That could mean ticking an empty checkbox, clicking a clearly labelled button, or selecting a preference in a consent panel.

But it cannot be based on trick design.

And this is where cookie banners, forms, and marketing tools often create problems.

Consent Is Not Always the Best Lawful Basis

Here is the part many businesses miss:

GDPR consent is not always the safest option.

It feels safe because the user "agreed." But if consent is not appropriate for the situation, relying on it can create more risk, not less.

GDPR provides several lawful bases for processing personal data. Consent is only one of them.

A Spanish ecommerce business usually does not need consent to process a customer's delivery address for an order. That processing may be necessary to fulfil a contract.

A company may need to keep invoices for tax reasons. That is usually a legal obligation, not consent.

An employer should be careful about relying on employee consent because the employee may not feel they have a real choice.

So before adding a checkbox, ask a better question:

Do we genuinely need consent here, or is another lawful basis more accurate?

When Consent Usually Makes Sense

Consent is commonly relevant for:

• Newsletter subscriptions
• Non-essential cookies
• Marketing tracking
• Remarketing campaigns
• Optional profiling
• Certain app permissions
• Some uses of special category data where explicit consent is required

For example, if someone downloads a GDPR checklist and you want to send them promotional course emails later, you should not quietly add them to a marketing sequence. You need a clear basis for that marketing.

Often, that means separate consent.

Why Defaulting to Consent Can Backfire

Consent can be withdrawn.

That is the point.

If a person withdraws consent, your business must stop processing for that purpose unless another lawful basis applies.

So if your business actually needs the data to deliver the service, consent may be the wrong basis from the beginning.

This is why consent should be used carefully.

Not everywhere. Not automatically. Not because it feels safer.

Use it where the person's choice is genuinely optional.

Article 7 GDPR: Consent Must Be Provable

GDPR Article 7 is the part businesses cannot afford to ignore.

It says that where processing is based on consent, the controller must be able to demonstrate that the person consented. It also says withdrawal must be as easy as giving consent.

In plain English:

You do not just need consent. You need proof.

What a Good Consent Record Should Show

If the AEPD, a customer, or an internal auditor asks how consent was collected, your business should be able to answer.

A useful consent record should show:

• Who gave consent
• When consent was given
• Where it was collected
• What wording the person saw
• What purpose the consent covered
• Which privacy or cookie policy version applied
• Whether the person later changed or withdrew consent

This matters for cookie platforms, CRM systems, email tools, landing pages, lead magnets, analytics tags, and advertising tools.

A business that cannot prove consent is relying on memory.

And memory is not a compliance system.

Consent Should Not Be Buried in Terms

Consent should be separate from general terms and conditions.

This is weak:

"By creating an account, you agree to our terms, privacy policy, cookie policy, and promotional communications."

It mixes several things together.

A better structure is:

• Required: account creation and service-related processing.
• Optional: marketing emails.
• Optional: analytics cookies.
• Optional: advertising and personalization cookies.

That gives users a real choice.

It also gives the business a cleaner record.

Withdrawal Must Be Easy

If a user can give consent in one click, they should not need to send a formal email, search through hidden settings, or wait for a manual response to withdraw it.

This applies to email unsubscribe links, cookie preference settings, account privacy controls, marketing preference centers, and app permissions.

The test is simple:

Is it as easy to leave as it was to join?

If not, the process needs work.

Cookie Consent in Spain: The AEPD Standard Businesses Should Follow

Cookie consent is one of the most visible GDPR risks for Spanish businesses.

It appears before trust is built.

A visitor lands on your website, sees your banner, and immediately understands whether your business is giving them a real choice - or pushing them toward acceptance.

The AEPD cookie guidance update states that accepting and rejecting cookies must be presented in a prominent place and format, at the same level, without making rejection more difficult than acceptance. The updated criteria had to be implemented by 11 January 2024, so by 2026 this should already be part of your baseline setup.

The "Accept All" Problem

A risky banner looks like this:

Accept all

Configure cookies

The reject option is not really visible. The user has to work harder to refuse than to accept.

A stronger banner looks like this:

Accept all

Reject all

Configure cookies

The AEPD Guide on the Use of Cookies also makes clear that where cookie settings are used, a "Reject all cookies" option should be available and pre-ticked boxes in favour of accepting cookies are not acceptable.

The message for Spanish businesses is clear:

Do not design your banner to win consent. Design it to respect choice.

Non-Essential Cookies Should Wait

Strictly necessary cookies are different because the website needs them to function.

But analytics, advertising, personalization, social media, heatmap, and remarketing cookies generally require consent before they are placed or accessed.

That means your banner is not enough if tracking scripts already fire in the background.

This is a common problem.

The website looks compliant because a banner appears. But the technology behind the page has already started collecting data.

That is not meaningful consent.

Cookie Categories Should Be Clear

A good cookie preference center should help users understand what they are choosing.

Useful categories include:

• Strictly necessary cookies - required for core website functions.
• Analytics cookies - used to understand performance and visitor behaviour.
• Advertising cookies - used for ad targeting, remarketing, and campaign measurement.
• Personalization cookies - used to remember preferences or customize content.
• Social media or third-party cookies - used when embedded tools or external platforms collect data.

Do not make the panel so complicated that users give up.

But do not make it so vague that the choice becomes meaningless.

Users Must Be Able to Change Their Mind

Cookie consent is not permanent.

Your website should include a visible way to reopen cookie settings. This can sit in the footer, privacy center, cookie policy, or a small persistent privacy icon.

The point is not decoration.

It is control.

If users can accept cookies easily, they should be able to reject or change them easily too.

Google Consent Mode v2: The Technical Update Many Businesses Miss

For Spanish businesses using Google tools, consent is not only a legal issue.

It is also a tag configuration issue.

Google Consent Mode documentation explains consent signals such as `ad_user_data`, which controls consent for sending advertising-related user data to Google, and `ad_personalization`, which controls consent for personalized advertising.

This matters if your business uses:

• Google Analytics 4
• Google Ads
• Google Tag Manager
• Remarketing
• Conversion tracking
• Enhanced conversions
• Personalized advertising
• Ecommerce analytics

Consent Mode Is Not a Compliance Shortcut

Consent Mode does not fix a bad cookie banner.

It does not replace a privacy policy.

It does not prove that consent was valid.

It only works properly when your consent management platform, cookie categories, Google tags, and user choices are correctly connected.

So the practical question is not:

"Do we have Consent Mode?"

The better question is:

Does our setup actually respect the user's choice before data is sent or used?

What Spanish Businesses Should Check

Your web or marketing team should review:

• Whether the CMP integrates correctly with Google Tag Manager
• Whether non-essential tags wait for consent
• Whether analytics and advertising consent are separated
• Whether `ad_user_data` and `ad_personalization` are configured properly
• Whether consent choices are stored in an auditable way
• Whether users can change consent later

This is especially important for businesses running paid campaigns in Spain or across the EEA.

Because if consent signals are wrong, your marketing data may look clean while your compliance position is not.

Email Marketing Consent: Where Many Businesses Create Hidden Risk

Email marketing consent usually fails quietly.

Not when the campaign is sent.

Earlier.

At the moment the contact entered the list.

A person fills out a form. Downloads a guide. Registers for a webinar. Creates an account. Books a consultation.

Then they start receiving promotional emails.

The question is:

Did they clearly agree to that marketing, or did the business assume it?

Do Not Bundle Marketing Consent With Service Actions

A user signing up for a course should receive course-related emails.

That does not automatically mean they agreed to receive promotional campaigns.

A user submitting a contact form may expect a reply.

That does not automatically mean they agreed to newsletters.

A user downloading a resource may expect the resource.

That does not automatically mean they agreed to long-term marketing.

A cleaner form separates the actions:

• Submit enquiry - required to respond to the message.
• Marketing opt-in - optional consent for newsletters, offers, and related resources.

For example:

"I agree to receive email updates about compliance training, regulatory changes, and related business resources. I can unsubscribe at any time."

That is specific. It is understandable. And it is much easier to defend.

Keep Proof of Opt-In

For each marketing contact, your business should be able to identify:

• When the person subscribed
• Which form or page they used
• What wording they saw
• What campaign or source collected the consent
• Whether double opt-in was used
• Whether they later unsubscribed

This does not need to be dramatic.

It just needs to be reliable.

Because if someone complains that they never agreed to receive marketing, your business needs more than "they must have filled out a form."

Make Unsubscribing Simple

Every marketing email should include a clear unsubscribe option.

Not hidden. Not confusing. Not dependent on a manual support request.

If leaving your list is harder than joining it, the consent journey is broken.

And broken consent journeys create complaints.

Lead Forms, Downloads, and Website Opt-Ins: The Practical Fixes

Consent problems often begin on ordinary website forms.

Not because the business intended to mislead anyone, but because forms are copied, reused, and connected to automation tools without much review.

Contact Forms

A contact form should collect only what is necessary.

Usually, that means name, email address, and message.

If you ask for phone number, company size, job title, industry, budget, or location, make sure there is a clear reason.

More fields mean more data.

More data means more responsibility.

Add a short privacy notice near the form, and link to the full privacy policy.

Newsletter Forms

A newsletter form should say what the person will receive.

Avoid empty wording like:

"I agree to communications."

Better:

"I agree to receive email updates about GDPR, compliance training, regulatory changes, and related resources. I can unsubscribe at any time."

That tells the person what they are signing up for.

It also helps your business prove that the consent was informed.

Lead Magnets

Lead magnets need careful handling.

A downloadable checklist, template, or guide may require an email address for delivery. But using that email for future marketing should be explained separately.

A clean structure is:

• Email address - used to send the requested resource.
• Optional checkbox - used to collect marketing consent.

This avoids turning one download into unlimited permission.

Consent for Minors in Spain: The LOPDGDD Rule

Spain adds an important national layer through the LOPDGDD.

Under BOE Organic Law 3/2018, processing based on a minor's consent is generally lawful when the minor is at least 14 years old. For children under 14, consent must come from the holder of parental authority or guardianship.

This matters for businesses that may collect personal data from younger users.

Who Should Pay Attention?

The age rule can affect:

• Online learning platforms
• Apps and games
• Ecommerce sites
• Membership platforms
• Youth services
• EdTech businesses
• Webinars or campaigns aimed at students
• Platforms where minors may create accounts

Even if children are not your main audience, ask whether they can realistically access your service.

Age Checks Should Be Proportionate

Do not collect excessive data just to verify age.

A low-risk newsletter form does not require the same controls as a platform processing sensitive data from minors.

The principle is balance.

Verify enough to manage the risk. Do not collect more than you need.

Consent and AI Tools: A 2026 Risk Spanish Businesses Should Not Ignore

AI has made consent more complicated.

Many businesses now use chatbots, automated scoring tools, AI meeting transcription, customer profiling, recruitment screening, predictive analytics, or generative AI assistants.

If those tools process personal data, GDPR still applies.

AI Still Needs a Lawful Basis

Consent may be relevant in some AI use cases.

But it is not always enough.

A customer support chatbot collecting optional user preferences may raise one set of issues.

An HR screening tool that affects job applicants raises another.

A meeting transcription tool that captures names, voices, and business discussions creates a different risk again.

The question is not only:

"Did we get consent?"

The better question is:

What personal data is the AI tool processing, why, under what lawful basis, and with what controls?

Consent Does Not Remove Other GDPR Duties

Even where consent is used, businesses may still need transparency notices, data minimisation, retention limits, vendor review, security controls, DPIAs where risk is high, and human oversight where decisions significantly affect people.

Consent answers one question.

It does not answer all of them.

This is why AI-related processing should be reviewed as part of the wider GDPR programme, not handled as a marketing or software decision alone.

Common GDPR Consent Mistakes Spanish Businesses Should Avoid

Consent mistakes are often easy to spot once you know what to look for.

The problem is that many businesses never look.

Mistake 1: Using Pre-Ticked Boxes

A pre-ticked box does not show an active choice.

The user did not agree.

They simply failed to disagree.

That is weak consent.

Mistake 2: Hiding the Reject Button

If "Accept all" is bright and immediate, while "Reject" is hidden behind settings, the design is pushing the user.

The AEPD has made clear that accepting and rejecting cookies should be presented at the same level and not make rejection more difficult.

Mistake 3: Loading Tracking Tools Before Consent

A banner does not solve the problem if advertising, analytics, or remarketing tags fire before the user chooses.

Audit the actual tag behaviour.

Not just the banner design.

Mistake 4: Using One Checkbox for Everything

Marketing emails, analytics cookies, partner offers, profiling, and advertising are not the same purpose.

Do not treat them as one.

Mistake 5: Keeping No Consent Records

If you cannot show when, where, and how consent was collected, your position is weak.

GDPR accountability is not based on trust.

It is based on evidence.

Mistake 6: Making Withdrawal Difficult

Consent must be easy to withdraw.

That means unsubscribe links, accessible cookie settings, and clear privacy controls.

Not a maze.

Mistake 7: Treating Consent as a One-Time Setup

Consent systems age quickly.

New plugins, forms, ad campaigns, CRM tools, AI tools, and website updates can change what data is collected.

Review consent regularly.

GDPR Consent Checklist for Spanish Businesses in 2026

Use this as a practical update checklist.

• Review every consent point on your website. Check banners, forms, pop-ups, checkout flows, lead magnets, newsletter blocks, and account registration pages.
• Check your cookie banner design. Make sure users can accept, reject, and configure cookies without pressure.
• Stop non-essential cookies before consent. Review analytics, advertising, remarketing, heatmap, and social media tags.
• Separate consent by purpose. Do not use one checkbox for unrelated processing activities.
• Update marketing opt-ins. Make promotional consent optional, specific, and easy to withdraw.
• Store consent records. Keep the date, source, wording, purpose, privacy notice version, and withdrawal status.
• Review Google Consent Mode v2. Check GA4, Google Ads, Google Tag Manager, CMP settings, and consent signals.
• Make withdrawal easy. Use unsubscribe links, cookie preference links, and clear account privacy settings.
• Check consent for minors. If young users may interact with your service, review Spain's age 14 consent rule.
• Update privacy and cookie policies. Make sure your policies match the tools you actually use.
• Train staff. Marketing, sales, customer support, HR, and operations teams should understand when consent matters.
• Review third-party tools. Check email platforms, CRMs, CMPs, analytics providers, advertising platforms, and AI tools.
• Document your decisions. If you choose consent as the lawful basis, record why.

When Should Spanish Businesses Update Their Consent Practices?

Now.

Not because GDPR suddenly created a brand-new consent rule in 2026.

Because the way businesses collect and use data has changed.

More companies now rely on Google Ads, GA4, CRM automation, landing pages, AI tools, remarketing pixels, lead magnets, and third-party SaaS platforms.

Each one can create a consent issue if the setup is not reviewed.

Start With the Highest-Risk Areas

Prioritise:

• Cookie banners
• Marketing opt-ins
• Google Consent Mode v2
• Email marketing lists
• Consent records
• Withdrawal mechanisms
• Privacy and cookie policy accuracy

These are the areas most visible to users, customers, and regulators.

Then Review the Internal Gaps

After that, look at:

• Old landing pages
• Archived lead magnets
• CRM imports
• Sales team contact lists
• AI tool usage
• Third-party processors
• Staff training

The goal is not to make everything perfect overnight.

The goal is to remove obvious weaknesses before they become complaints.

Final Thoughts: Consent Is Not Just a Checkbox

Consent looks simple until someone challenges it.

Then the question changes.

It is no longer:

"Did we have a checkbox?"

It becomes:

Was the choice clear? Was it optional? Was it specific? Was it recorded? Could the person withdraw it easily? Did our tools respect the decision?

That is the standard Spanish businesses need to work toward in 2026.

A good consent system does not pressure users. It gives them control, records their choice, and helps the business prove accountability.

That is not just better compliance.

It is better trust.

Build GDPR Compliance With More Confidence

Consent is only one part of GDPR compliance.

Spanish businesses also need to understand lawful bases, data subject rights, breach response, processor contracts, DPIAs, documentation, AI-related risks, and Spain's LOPDGDD requirements.

For structured, Spain-focused training, explore the EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute.

Build your GDPR compliance foundation with practical guidance, templates, and a clearer path from awareness to implementation.

References

• Yoti sanction reporting - public reporting on the AEPD fine and consent findings. Yoti sanction reporting.
• Yoti response - Yoti's public statement on the AEPD sanction and appeal. Yoti response.
• GDPR Article 4 - definition of consent. GDPR Article 4.
• GDPR Article 7 - conditions for consent and withdrawal. GDPR Article 7.
• EDPB Guidelines 05/2020 on consent under Regulation 2016/679. EDPB consent guidelines.
• AEPD cookie guidance update - accept/reject options and deceptive design patterns. AEPD cookie guidance update.
• AEPD Guide on the Use of Cookies. AEPD Guide on the Use of Cookies.
• Google Consent Mode documentation - consent signals including ad_user_data and ad_personalization. Google Consent Mode documentation.
• BOE Organic Law 3/2018 - Spain's LOPDGDD, including consent rules for minors. BOE Organic Law 3/2018.
• Spanish Compliance Institute course page - EU GDPR Compliance and Data Protection for Businesses.