Website Rules in Spain
Spanish websites must comply with Ley 34/2002 (LSSI-CE) for the legal notice (aviso legal), the RGPD enforced by the AEPD, and strict cookie consent rules under Article 22.2 LSSI-CE. The AEPD is one of the most active data protection authorities in the EU, with hundreds of decisions per year.
Data protection authority:
Agencia Española de Protección de Datos
(AEPD)
Requirements
6
country-specific rules
Guides
7
guides available
Specific requirements for Spain
Aviso legal (Ley 34/2002 LSSI-CE Art. 10)
Every Spanish business website must display an aviso legal containing the company name, NIF or CIF, registered address, contact email, and (when applicable) the Mercantile Registry number and professional college details. Required by Article 10 of the Ley 34/2002 (LSSI-CE).
Cookie consent (LSSI-CE Art. 22.2)
Cookies and similar tracking technologies that are not strictly necessary require prior informed consent. The AEPD's Guía de Cookies (revised 2023) requires a banner with equally prominent Accept and Reject buttons, granular consent per purpose, and zero non-essential cookies before consent.
Privacy policy (RGPD Art. 13/14 + LOPDGDD Art. 11)
Any Spanish website that processes personal data through forms, accounts, or analytics needs a política de privacidad covering identity of the responsable, legal basis, data categories, retention periods, transfers, and rights including the right to lodge a claim with the AEPD.
Accessibility (Real Decreto 193/2023 / EAA)
From 28 June 2025, businesses selling products or services online to consumers must meet WCAG 2.1 AA. Real Decreto 193/2023 transposes the EAA into Spanish law. Penalties for non-compliance can reach 1% of annual turnover.
Distance selling (Real Decreto Legislativo 1/2007 LGDCU)
Spanish e-commerce sites must display total price including VAT before checkout, offer a 14-day right of withdrawal (desistimiento), label the order button clearly with the payment obligation, and follow the Omnibus rules on prior price for discounts.
Email marketing (LSSI-CE Art. 21)
Article 21 of LSSI-CE prohibits unsolicited commercial communications by email or equivalent electronic means. Prior consent is required, including for B2B cold email. The AEPD enforces this in addition to the RGPD.
Enforcement in Spain
In December 2023 the AEPD fined Vodafone España €3.94 million for cookie banner failures, including pre-ticked categories and a Reject button buried two clicks deep. The decision (PS-00298-2023) cited Article 22.2 LSSI-CE alongside RGPD Articles 6 and 7. Smaller cases against pymes are far more common: the AEPD published over 600 sanctions in 2024, many in the €1,000–€10,000 range, and some as low as €600 for unanswered access requests.
Official resources
Aviso legal: what must appear and where
Spanish small businesses sometimes hide their aviso legal in a tiny footer link, or skip it entirely on landing pages. Article 10 of LSSI-CE is explicit: the information must be permanent, easy to access, free, and direct. In practice that means a footer link visible from every page, leading to a page that lists the natural or legal person's name, NIF or CIF, full address, contact email, and (for registered companies) the Mercantile Registry section, volume, page, and registration number. Regulated professions (lawyers, doctors, architects) must add their professional college and collegiate number. Hosting your aviso legal only inside a PDF, behind a login, or on a subdomain that does not match your business does not meet the standard.
Cookie banners: what the AEPD actually requires
The AEPD Guía de Cookies revision in July 2023 made the rules clearer than the original 2020 version. A compliant banner has three things: an Accept button and a Reject button shown with equal visibility (same size, same colour intensity, same screen position), a link or button to manage preferences with granular categories (technical, preferences, analytics, marketing), and zero non-essential cookies set before the visitor interacts. Cookie walls that block content until consent are explicitly disallowed for sites that have alternative business models, and the AEPD has sanctioned this pattern. The most common failures the AEPD cites in its resoluciones are: pre-ticked boxes for non-essential categories, a Reject button hidden inside a settings panel, and analytics cookies (Google Analytics _ga, Microsoft Clarity, Hotjar) firing on page load.
How AEPD sanctions are calculated
The AEPD applies the LSSI-CE penalty bands of Article 39: minor infractions up to €30,000, serious infractions €30,001–€150,000, and very serious infractions €150,001–€600,000. RGPD violations follow Articles 83.4 and 83.5: up to €10 million or 2% of global turnover for processing breaches, up to €20 million or 4% for breaches of the lawful-basis requirement. In practice, smaller pymes usually receive sanctions from €1,000 to €10,000 under the agravante and atenuante reductions in LOPDGDD Article 76. Voluntary acknowledgement of the infraction reduces the fine by 20%, and prompt payment by another 20%, so a €10,000 sanction can drop to €6,400 if you cooperate quickly.
Guides for Spain
Contact Form GDPR Requirements: Article 13 Compliance
What a GDPR-compliant contact form needs: Article 13 information, the right legal basis (legitimate interest vs precontractual), unchecked boxes, retention.
How Much Does a Copyright Claim Actually Cost? (EU)
How much a copyright claim costs in the EU: real settlement ranges for Getty Images, Copytrack and PicRights demands plus what drives the price up or down.
Should You Ignore a Copyright Demand Letter? (EU)
Should you ignore a Getty, Copytrack or PicRights demand letter? Why silence usually backfires and the rare situations where it might be the right call.
Cookie Banner Requirements Under EU Law (2026 Guide)
Cookie banner requirements in the EU 2026: reject equal to accept, no dark patterns, prior consent. EDPB Guidelines 05/2020 explained.
Free Stock Photo Sources for Business Websites
Find free stock photo sources that are safe for commercial use on your business website. Unsplash, Pexels, Pixabay and more, with license details.
GDPR Fines for Small Businesses: Real Cases and Amounts
Real GDPR fines for small businesses run from about 1,000 to 50,000 EUR. See published regulator decisions, what triggers enforcement and how to avoid it.
How to Scan Your Website for Copyrighted Images
Learn how to find copyrighted images on your website before enforcement agencies do. Manual and automated methods to check every image.
Check your website for Spain requirements
Our scanner checks for Spain-specific requirements automatically.
I understand this is a technical scan, not legal advice, and I accept the Terms.