Cookie banner — AEPD guidance, in practice

What the AEPD requires of a cookie banner, what miniterms generates, and how to embed the banner on your site.

If your site sets non-essential cookies, you need a banner that asks for consent before they are set. The AEPD has fined sites for getting this wrong in ways that are easy to fix. miniterms generates a banner script and a matching Cookie Policy that reflect the current AEPD guidance.

What AEPD guidance requires

The current AEPD "Guía sobre el uso de las cookies" sets out the practical floor. The headline rules:

  1. No cookies before consent for any cookie that is not strictly necessary. The banner must appear and the user must act before non-essential cookies are written.
  2. Reject must be as easy as accept. A banner that has a prominent "Accept" button and a buried "Reject" link is not compliant. The AEPD has been explicit about this.
  3. Granular by category. The user must be able to accept or reject by category (functional, analytics, marketing) — accepting all is fine as a shortcut, but blanket-accept-only is not.
  4. Withdrawable. The user must be able to change their mind later, with effort no greater than the initial consent.
  5. Documented. You must be able to demonstrate, per visitor, what they consented to and when. This is the part most easily forgotten.

The legal basis sits on the e-Privacy Directive (2002/58/EC art. 5(3)) plus [GDPR art. 7] on consent quality. The AEPD enforces it in Spain.

Responsibility notice on generated Cookie Policies

Every Cookie Policy generated by miniterms begins with the same responsibility notice that ships on every miniterms document:

Your responsibility — This cookie policy is built to current GDPR and AEPD requirements from public regulatory and supervisory-authority sources, and kept up to date as the law changes. It is only as accurate as the information you provided: you are responsible for ensuring your answers are truthful and that this document reflects how your business actually collects and uses data. It is not individualised legal advice. Having a lawyer review it is optional, not required.

This notice cannot be removed or hidden. It travels with the document through ZIP export, Hub sync, and any share link. The document is built to current regulatory sources, but it is only as accurate as the inputs you provide — so the notice makes clear that you own the truthfulness of those inputs and that the finished policy matches how your site actually uses cookies. A lawyer review is optional, not required.

What miniterms generates

The Cookie Policy is one of the four document types miniterms produces. It lists:

  • Each cookie category (strictly necessary, functional, analytics, marketing)
  • Within each category, the specific cookies (name, provider, lifetime, purpose)
  • A statement on third-country transfers if any of the cookies originate from outside the EEA

The banner itself is a separate artifact in your dashboard — a JavaScript snippet you embed in your site's <head>. It reads its configuration from the cookies you declared in your business profile, so the banner and the Cookie Policy stay in sync.

What the generated banner looks like

The miniterms banner is a minimal, non-blocking layer with three primary actions:

  • Accept all — sets a consent record allowing every declared category
  • Reject all — sets a consent record allowing only strictly necessary cookies
  • Choose — opens a panel with one toggle per category

Visually it matches whatever theme you configured in your profile (color, position, language). It records the consent in a first-party cookie (miniterms_consent) with the timestamp and the categories. That cookie is your accountability record.

Embedding the banner

  1. Open Cookie banner → Embed in the dashboard
  2. Copy the <script> snippet
  3. Paste it inside your site's <head>, before any other tag manager or analytics tag

The order matters. The banner needs to run first so that it can block subsequent scripts from setting cookies until the user has chosen. Tag managers (GTM, Tealium) accept the banner's consent record via their built-in consent mode.

What miniterms does NOT do

We do not auto-scan your site for cookies you forgot to declare. You declare the cookies you intend to set in the business profile; the banner enforces those declarations. If your analytics provider quietly adds a new cookie, the banner does not block it, because it does not know about it. Periodically run your site through a cookie scanner (the AEPD published one as part of its 2023 enforcement campaign) and update your profile accordingly.

Cross-site consent

If you run multiple subdomains, you can choose whether the consent record applies site-wide or per-subdomain. The choice is in Cookie banner → Settings. AEPD guidance is permissive about site-wide consent provided the user is informed about the scope at the time of consent.