Cookie banner — AEPD guidance, in practice

What the AEPD requires of a cookie banner, what miniterms generates, and how to embed the banner on your site.

If your site sets non-essential cookies, you need a banner that asks for consent before they are set. The AEPD has fined sites for getting this wrong in ways that are easy to fix. miniterms generates a banner script and a matching Cookie Policy that reflect the current AEPD guidance.

What AEPD guidance requires

The current AEPD "Guía sobre el uso de las cookies" sets out the practical floor. The headline rules:

  1. No cookies before consent for any cookie that is not strictly necessary. The banner must appear and the user must act before non-essential cookies are written.
  2. Reject must be as easy as accept. A banner that has a prominent "Accept" button and a buried "Reject" link is not compliant. The AEPD has been explicit about this.
  3. Granular by category. The user must be able to accept or reject by category (functional, analytics, marketing) — accepting all is fine as a shortcut, but blanket-accept-only is not.
  4. Withdrawable. The user must be able to change their mind later, with effort no greater than the initial consent.
  5. Documented. You must be able to demonstrate, per visitor, what they consented to and when. This is the part most easily forgotten.

The legal basis sits on the e-Privacy Directive (2002/58/EC art. 5(3)) plus [GDPR art. 7] on consent quality. The AEPD enforces it in Spain.

What miniterms generates

The Cookie Policy is one of the four document types miniterms produces. It lists:

  • Each cookie category (strictly necessary, functional, analytics, marketing)
  • Within each category, the specific cookies (name, provider, lifetime, purpose)
  • A statement on third-country transfers if any of the cookies originate from outside the EEA

The banner itself is a separate artifact in your dashboard — a JavaScript snippet you embed in your site's <head>. It reads its configuration from the cookies you declared in your business profile, so the banner and the Cookie Policy stay in sync.

What the generated banner looks like

The miniterms banner is a minimal, non-blocking layer with three primary actions:

  • Accept all — sets a consent record allowing every declared category
  • Reject all — sets a consent record allowing only strictly necessary cookies
  • Choose — opens a panel with one toggle per category

Visually it matches whatever theme you configured in your profile (color, position, language). It records the consent in a first-party cookie (miniterms_consent) with the timestamp and the categories. That cookie is your accountability record.

Embedding the banner

  1. Open Cookie banner → Embed in the dashboard
  2. Copy the <script> snippet
  3. Paste it inside your site's <head>, before any other tag manager or analytics tag

The order matters. The banner needs to run first so that it can block subsequent scripts from setting cookies until the user has chosen. Tag managers (GTM, Tealium) accept the banner's consent record via their built-in consent mode.

What miniterms does NOT do

We do not auto-scan your site for cookies you forgot to declare. You declare the cookies you intend to set in the business profile; the banner enforces those declarations. If your analytics provider quietly adds a new cookie, the banner does not block it, because it does not know about it. Periodically run your site through a cookie scanner (the AEPD published one as part of its 2023 enforcement campaign) and update your profile accordingly.

Cross-site consent

If you run multiple subdomains, you can choose whether the consent record applies site-wide or per-subdomain. The choice is in Cookie banner → Settings. AEPD guidance is permissive about site-wide consent provided the user is informed about the scope at the time of consent.

Español