Legal Requirements for Websites in Spain

The LSSI (Law 34/2002) is the basic regulation that governs websites in Spain. It requires all websites that carry out economic activity (including blogs with advertising) to clearly identify themselves with company data: name, tax ID, address, email and registration data.

This law also regulates commercial email communications (prohibits spam), electronic commerce and the liability of service providers. Non-compliance can result in penalties between 30,000 and 600,000 euros.

The GDPR (General Data Protection Regulation) is the European regulation that governs how you collect, store and process your users personal data. It applies to any website that collects data from European citizens, regardless of where it is hosted.

Main obligations: obtain explicit consent before collecting data, inform about what data you collect and why, allow users to access, rectify and delete their data, and notify security breaches within 72 hours.

• Mandatory explicit consent
• Right of access, rectification and deletion
• Record of processing activities
• Impact assessment if processing sensitive data
• Data Protection Officer if applicable

Every website that uses cookies (and almost all do) must inform the user and obtain prior consent for non-essential cookies. The cookie banner must allow accepting, rejecting and configuring cookies by category.

Cookies are classified as technical (necessary, no consent required), analytical (Google Analytics, consent required) and advertising (Facebook Pixel, consent required). Your cookie policy must list each cookie, its purpose and duration.

The legal notice is mandatory for all websites with economic activity in Spain. It must include: name or company name, tax ID, fiscal address, contact email, Commercial Registry registration data (if applicable) and professional license number (if applicable).

In addition to the legal notice, you need a privacy policy (how you handle personal data), terms of use (website usage rules) and, if you sell online, purchase conditions (purchase process, returns, warranties).

Online stores have additional obligations: display prices with VAT included, inform about shipping costs before purchase, offer a 14-day withdrawal right, provide an invoice and have an accessible complaints system.

You must also comply with the Retail Trade Law and labeling regulations if you sell physical products. For food, cosmetics or electronic products there are additional specific regulations.

Penalties for non-compliance with web regulations in Spain are significant. The LSSI provides for fines of up to EUR600,000 for very serious infringements. The GDPR allows penalties of up to 20 million euros or 4% of annual global turnover.

The AEPD (Spanish Data Protection Agency) is active in imposing sanctions. In 2023, it imposed fines worth over 40 million euros. Complying with regulations is not just a legal obligation, it is an investment in your business reputation.