Website Rules in Spain
Spanish websites must comply with Ley 34/2002 (LSSI-CE) for the legal notice (aviso legal), the RGPD enforced by the AEPD, and strict cookie consent rules under Article 22.2 LSSI-CE. The AEPD is one of the most active data protection authorities in the EU, with hundreds of decisions per year.
Data protection authority:
Agencia Española de Protección de Datos
(AEPD)
Requirements
6
country-specific rules
Guides
0
guides available
Specific requirements for Spain
Aviso legal (Ley 34/2002 LSSI-CE Art. 10)
Every Spanish business website must display an aviso legal containing the company name, NIF or CIF, registered address, contact email, and (when applicable) the Mercantile Registry number and professional college details. Required by Article 10 of the Ley 34/2002 (LSSI-CE).
Cookie consent (LSSI-CE Art. 22.2)
Cookies and similar tracking technologies that are not strictly necessary require prior informed consent. The AEPD's Guía de Cookies (revised 2023) requires a banner with equally prominent Accept and Reject buttons, granular consent per purpose, and zero non-essential cookies before consent.
Privacy policy (RGPD Art. 13/14 + LOPDGDD Art. 11)
Any Spanish website that processes personal data through forms, accounts, or analytics needs a política de privacidad covering identity of the responsable, legal basis, data categories, retention periods, transfers, and rights including the right to lodge a claim with the AEPD.
Accessibility (Real Decreto 193/2023 / EAA)
From 28 June 2025, businesses selling products or services online to consumers must meet WCAG 2.1 AA. Real Decreto 193/2023 transposes the EAA into Spanish law. Penalties for non-compliance can reach 1% of annual turnover.
Distance selling (Real Decreto Legislativo 1/2007 LGDCU)
Spanish e-commerce sites must display total price including VAT before checkout, offer a 14-day right of withdrawal (desistimiento), label the order button clearly with the payment obligation, and follow the Omnibus rules on prior price for discounts.
Email marketing (LSSI-CE Art. 21)
Article 21 of LSSI-CE prohibits unsolicited commercial communications by email or equivalent electronic means. Prior consent is required, including for B2B cold email. The AEPD enforces this in addition to the RGPD.
Enforcement in Spain
In December 2023 the AEPD fined Vodafone España €3.94 million for cookie banner failures, including pre-ticked categories and a Reject button buried two clicks deep. The decision (PS-00298-2023) cited Article 22.2 LSSI-CE alongside RGPD Articles 6 and 7. Smaller cases against pymes are far more common: the AEPD published over 600 sanctions in 2024, many in the €1,000–€10,000 range, and some as low as €600 for unanswered access requests.
Official resources
Aviso legal: what must appear and where
Spanish small businesses sometimes hide their aviso legal in a tiny footer link, or skip it entirely on landing pages. Article 10 of LSSI-CE is explicit: the information must be permanent, easy to access, free, and direct. In practice that means a footer link visible from every page, leading to a page that lists the natural or legal person's name, NIF or CIF, full address, contact email, and (for registered companies) the Mercantile Registry section, volume, page, and registration number. Regulated professions (lawyers, doctors, architects) must add their professional college and collegiate number. Hosting your aviso legal only inside a PDF, behind a login, or on a subdomain that does not match your business does not meet the standard.
Cookie banners: what the AEPD actually requires
The AEPD Guía de Cookies revision in July 2023 made the rules clearer than the original 2020 version. A compliant banner has three things: an Accept button and a Reject button shown with equal visibility (same size, same colour intensity, same screen position), a link or button to manage preferences with granular categories (technical, preferences, analytics, marketing), and zero non-essential cookies set before the visitor interacts. Cookie walls that block content until consent are explicitly disallowed for sites that have alternative business models, and the AEPD has sanctioned this pattern. The most common failures the AEPD cites in its resoluciones are: pre-ticked boxes for non-essential categories, a Reject button hidden inside a settings panel, and analytics cookies (Google Analytics _ga, Microsoft Clarity, Hotjar) firing on page load.
How AEPD sanctions are calculated
The AEPD applies the LSSI-CE penalty bands of Article 39: minor infractions up to €30,000, serious infractions €30,001–€150,000, and very serious infractions €150,001–€600,000. RGPD violations follow Articles 83.4 and 83.5: up to €10 million or 2% of global turnover for processing breaches, up to €20 million or 4% for breaches of the lawful-basis requirement. In practice, smaller pymes usually receive sanctions from €1,000 to €10,000 under the agravante and atenuante reductions in LOPDGDD Article 76. Voluntary acknowledgement of the infraction reduces the fine by 20%, and prompt payment by another 20%, so a €10,000 sanction can drop to €6,400 if you cooperate quickly.
Check your website for Spain requirements
Our scanner checks for Spain-specific requirements automatically.