Website Rules in Spain
Spanish websites must comply with Ley 34/2002 (LSSI-CE) for the legal notice (aviso legal), the RGPD enforced by the AEPD, and strict cookie consent rules under Article 22.2 LSSI-CE. The AEPD is one of the most active data protection authorities in the EU, with hundreds of decisions per year.
Autoridad de protección de datos:
Agencia Española de Protección de Datos
(AEPD)
Requisitos
6
reglas específicas del país
Guías
12
guías disponibles
Requisitos específicos para España
Aviso legal (Ley 34/2002 LSSI-CE Art. 10)
Every Spanish business website must display an aviso legal containing the company name, NIF or CIF, registered address, contact email, and (when applicable) the Mercantile Registry number and professional college details. Required by Article 10 of the Ley 34/2002 (LSSI-CE).
Cookie consent (LSSI-CE Art. 22.2)
Cookies and similar tracking technologies that are not strictly necessary require prior informed consent. The AEPD's Guía de Cookies (revised 2023) requires a banner with equally prominent Accept and Reject buttons, granular consent per purpose, and zero non-essential cookies before consent.
Privacy policy (RGPD Art. 13/14 + LOPDGDD Art. 11)
Any Spanish website that processes personal data through forms, accounts, or analytics needs a política de privacidad covering identity of the responsable, legal basis, data categories, retention periods, transfers, and rights including the right to lodge a claim with the AEPD.
Accessibility (Real Decreto 193/2023 / EAA)
From 28 June 2025, businesses selling products or services online to consumers must meet WCAG 2.1 AA. Real Decreto 193/2023 transposes the EAA into Spanish law. Penalties for non-compliance can reach 1% of annual turnover.
Distance selling (Real Decreto Legislativo 1/2007 LGDCU)
Spanish e-commerce sites must display total price including VAT before checkout, offer a 14-day right of withdrawal (desistimiento), label the order button clearly with the payment obligation, and follow the Omnibus rules on prior price for discounts.
Email marketing (LSSI-CE Art. 21)
Article 21 of LSSI-CE prohibits unsolicited commercial communications by email or equivalent electronic means. Prior consent is required, including for B2B cold email. The AEPD enforces this in addition to the RGPD.
Aplicación en España
In December 2023 the AEPD fined Vodafone España €3.94 million for cookie banner failures, including pre-ticked categories and a Reject button buried two clicks deep. The decision (PS-00298-2023) cited Article 22.2 LSSI-CE alongside RGPD Articles 6 and 7. Smaller cases against pymes are far more common: the AEPD published over 600 sanctions in 2024, many in the €1,000–€10,000 range, and some as low as €600 for unanswered access requests.
Recursos oficiales
Aviso legal: what must appear and where
Spanish small businesses sometimes hide their aviso legal in a tiny footer link, or skip it entirely on landing pages. Article 10 of LSSI-CE is explicit: the information must be permanent, easy to access, free, and direct. In practice that means a footer link visible from every page, leading to a page that lists the natural or legal person's name, NIF or CIF, full address, contact email, and (for registered companies) the Mercantile Registry section, volume, page, and registration number. Regulated professions (lawyers, doctors, architects) must add their professional college and collegiate number. Hosting your aviso legal only inside a PDF, behind a login, or on a subdomain that does not match your business does not meet the standard.
Cookie banners: what the AEPD actually requires
The AEPD Guía de Cookies revision in July 2023 made the rules clearer than the original 2020 version. A compliant banner has three things: an Accept button and a Reject button shown with equal visibility (same size, same colour intensity, same screen position), a link or button to manage preferences with granular categories (technical, preferences, analytics, marketing), and zero non-essential cookies set before the visitor interacts. Cookie walls that block content until consent are explicitly disallowed for sites that have alternative business models, and the AEPD has sanctioned this pattern. The most common failures the AEPD cites in its resoluciones are: pre-ticked boxes for non-essential categories, a Reject button hidden inside a settings panel, and analytics cookies (Google Analytics _ga, Microsoft Clarity, Hotjar) firing on page load.
How AEPD sanctions are calculated
The AEPD applies the LSSI-CE penalty bands of Article 39: minor infractions up to €30,000, serious infractions €30,001–€150,000, and very serious infractions €150,001–€600,000. RGPD violations follow Articles 83.4 and 83.5: up to €10 million or 2% of global turnover for processing breaches, up to €20 million or 4% for breaches of the lawful-basis requirement. In practice, smaller pymes usually receive sanctions from €1,000 to €10,000 under the agravante and atenuante reductions in LOPDGDD Article 76. Voluntary acknowledgement of the infraction reduces the fine by 20%, and prompt payment by another 20%, so a €10,000 sanction can drop to €6,400 if you cooperate quickly.
Guías para España
¿Necesito un banner de cookies en España? Guía rápida
¿Tu web necesita un banner de cookies según la AEPD y la LSSI-CE? Esta guía te ayuda a decidir en cinco minutos, con ejemplos reales y enlaces a la normativa.
Sanciones de la AEPD por cookies: resoluciones reales en pymes
Sanciones AEPD cookies: resoluciones reales, patrones de incumplimiento del Art. 22.2 LSSI-CE y reducciones aplicables para tu pyme española.
Aviso legal en tu web: qué dice el Art. 10 LSSI-CE y cómo redactarlo
El artículo 10 de la LSSI-CE obliga a cualquier web española a publicar un aviso legal con datos del responsable. Te explicamos qué incluir, con plantilla y ejemplos.
Checklist RGPD para pymes y autónomos en España
Checklist RGPD para pymes y autónomos en España: lo que pide la AEPD y la LOPDGDD paso a paso, sin tecnicismos.
Carta PicRights o Copytrack España: respuesta paso a paso
Carta de PicRights, Copytrack o Permission Machine en España: cómo verificar si es legítima, las cuatro defensas y la respuesta inicial de 14 días.
Dark patterns en banner de cookies AEPD: qué evitar
Dark patterns AEPD: patrones engañosos en banners de cookies que invalidan el consentimiento RGPD. Lista completa y cómo corregirlos en webs españolas.
Derechos de autor diseño web España: contratos y cesión
Derechos de autor en proyectos de diseño web en España: quién es titular del código, fotos y textos. Cesión, garantía y modelo de cláusula.
Dominio web caducado España: cómo prevenir y qué hacer
Caducidad de dominios .es y gTLDs: plazos ICANN, renovación, recuperación, evitar el cybersquatting y los daños SEO de perder el dominio.
Fotos de menú y derechos de autor en restaurantes España
Cómo usar fotos en el menú de tu restaurante en España sin cartas de PicRights o Getty: licencias seguras, foto propia y modelo de contrato.
Google Maps RGPD España: embed con consentimiento (2026)
Cómo insertar Google Maps en tu web española cumpliendo el RGPD: por qué el embed es ilícito sin consentimiento y dos patrones que sí cumplen.
Mediador de consumo online España: ¿obligatorio?
¿Tu web debe mencionar un mediador de consumo o la plataforma ODR de la UE? Obligaciones para tiendas online en España, qué texto incluir y dónde colocarlo.
Plugins WordPress vulnerables España: CVE e INCIBE-CERT
Cómo proteger tu WordPress de plugins vulnerables siguiendo las alertas del INCIBE-CERT, el seguimiento CVE y el Art. 32 RGPD para webs en España.
Comprueba tu web para los requisitos de España
Nuestro escáner comprueba los requisitos específicos de España automáticamente.
Entiendo que este es un análisis técnico, no asesoría legal, y acepto los Términos.