Running a website, blog, or online shop in Spain requires complying with both national and European digital laws. This guide explains how to make your website legally compliant and avoid heavy fines.
The regulations apply to any website that generates income directly or indirectly.
Key digital laws in Spain
Spain enforces three primary laws that regulate digital services and data privacy.
You must follow all three to avoid penalties.
The LSSI-CE
The primary national law is the LSSI-CE (Ley de Servicios de la Sociedad de la Información y de Comercio Electrónico).
This law regulates electronic commerce and online services.
It requires all commercial websites to identify their owner clearly.
If your website has ads, affiliate links, or sells products, this law applies to you.
The GDPR (RGPD in Spanish)
The GDPR is the European Union’s data protection regulation.
It applies to any website that collects personal data from EU users.
Personal data includes email addresses, names, and tracking cookies.
You must get explicit consent before collecting any user data.
The LOPDGDD
The LOPDGDD is the national Spanish data protection law.
It adapts the European GDPR rules to the Spanish legal system.
It defines specific digital rights for users located in Spain.
The AEPD (Agencia Española de Protección de Datos) enforces this law.
Required legal pages on your website
To comply with the LSSI-CE and GDPR, you must publish three distinct legal pages.
These pages must be easily accessible from any page on your site, usually in the footer.
Legal Notice (Aviso Legal)
The Aviso Legal is mandatory for all commercial websites under the LSSI-CE.
It must identify the owner of the website.
You must publish your legal name, physical address, and NIE or NIF number.
You must also provide a direct contact email address.
Privacy Policy (Política de Privacidad)
The Política de Privacidad explains how you handle personal data.
You must state what data you collect, such as IP addresses or form entries.
You must declare where this data is stored and who has access to it.
You must explain how users can request the deletion of their data.
Cookie Policy (Política de Cookies)
The Política de Cookies details the tracking files used by your website.
You must list all analytical, functional, and advertising cookies.
You must explain the purpose of each cookie and how long it remains active.
You must also link to instructions on how users can disable cookies in their browsers.
VAT (IVA) in Spain - how it works
Implementing cookie consent banners
You cannot load tracking cookies automatically when a user visits your website.
The AEPD enforces strict rules regarding cookie consent banners.
Active consent
A user must actively accept cookies before they are loaded in the browser.
Scroll-to-accept or simple page views do not count as consent.
Your banner must block all tracking cookies until the user clicks accept.
Banner options
Your cookie banner must offer three clear options to the user.
It must have an “Accept all” button, a “Reject all” button, and a “Configure” button.
The buttons must have similar colors and sizes to avoid manipulation.
The configuration panel must list cookies by category so users can select them individually.
E-commerce legal requirements
If you run an online shop, you face additional legal obligations.
You must protect consumers and show pricing information clearly.
Terms of Sale (Condiciones de Venta)
You must publish a detailed Condiciones de Venta page.
This page must detail the purchase process, payment methods, and delivery times.
It must also explain the returns policy.
By law, customers in Spain have a 14-day cooling-off period to return physical products.
Pricing and taxes
You must display final prices clearly before the checkout stage.
The prices must state if value added tax is included.
If you charge delivery fees, you must show them before the customer confirms the purchase.
How to write invoices as an autónomo
Compliance checklist
Use this checklist to verify your website’s legal compliance:
- Aviso Legal : Publish your name, NIE, address, and email in the footer.
- Data Consent : Add an unchecked checkbox for privacy policy consent on all forms.
- Cookie Banner : Install a cookie banner with clear accept, reject, and configure buttons.
- SSL Certificate : Secure your website with HTTPS encryption to protect user data.
- Autónomo Registration : Register as autónomo if the website earns money from ads or sales.
how to become autónomo in Spain
Required legal pages comparison
This table summarizes the legal pages required on Spanish websites.
| Page Name | Main Legal Basis | Required Information | Who Needs It |
|---|---|---|---|
| Aviso Legal | LSSI-CE | Owner name, NIE, address, email | All commercial websites |
| Política de Privacidad | GDPR / LOPDGDD | Data usage, storage, deletion | Any site collecting data |
| Política de Cookies | GDPR / LSSI-CE | List of cookies, durations, purposes | Any site using cookies |
| Condiciones de Venta | Consumer Law | Payments, deliveries, return rights | All online shops |
Questions and answers
Can I run a blog without registering as an autónomo?
Yes, if it is a personal hobby. If the blog does not generate any income, you do not need to register. However, if you add ads or affiliate links, you must register as autónomo.
Can I use a pseudonym on my Aviso Legal?
No. You must show your legal name and NIE or NIF number. The law does not allow anonymous commercial websites or pseudonyms for identification.
What is the penalty for not having a cookie banner?
Fines range from €3,000 to €30,000. The AEPD regularly issues fines to websites that load tracking cookies before getting user consent.
Do I need a cookie banner if I only use necessary cookies?
No. You do not need a banner for cookies that are necessary for the website to function. This includes shopping cart cookies and security session cookies.
Can I copy legal templates from other websites?
No. Legal templates must be customized to your specific activity and data processors. Copying other sites can lead to incorrect terms and legal liability.
Do these laws apply to websites hosted outside Spain?
Yes, if you target users in Spain. The GDPR and LSSI-CE apply to any business offering services or goods to consumers located in Spain.
What is the AEPD?
The Spanish Data Protection Agency. The AEPD is the government body that investigates privacy complaints and issues fines for data violations in Spain.
Do I need a checkbox for my newsletter signup form?
Yes. You must have an unchecked checkbox stating that the user accepts your privacy policy. You cannot pre-check this box or subscribe users automatically.
