logo Lawwwing

Cookies, Banners and Legal Texts: What the AEPD Penalised in 2025

The Spanish Data Protection Agency (AEPD) has made it clear that regulatory compliance on the internet must be one of companies' top priorities. The publication of its Annual Report confirms a trend that has been strengthening for years: complaints continue to rise, inspections are becoming more frequent, and non-compliance on websites and e-commerce platforms remains […]
Legal Lawwwing
July 13, 2026

The Spanish Data Protection Agency (AEPD) has made it clear that regulatory compliance on the internet must be one of companies' top priorities. The publication of its Annual Report confirms a trend that has been strengthening for years: complaints continue to rise, inspections are becoming more frequent, and non-compliance on websites and e-commerce platforms remains one of the supervisory authority's main areas of enforcement.

1. 2025: Record figures in data protection

Before looking at e-commerce in detail, it is worth reviewing the broader context of the AEPD's enforcement activity over the past year. In 2025, a total of 30,931 complaints were filed, representing a 64% increase compared with the previous year. As a result, the Agency resolved 23,361 complaints, the highest number in its history.

In addition, the total amount of fines imposed reached €33.9 million, reflecting the Agency's growing enforcement activity and the importance it places on protecting personal data. Although the largest fines were concentrated in sectors such as transport, telecommunications, and major digital platforms, infringements committed by e-commerce businesses continue to account for a significant number of enforcement proceedings.

2. Websites as a Key Focus of Enforcement

Data protection legislation does not only apply to large companies; it applies to any organisation that operates a website collecting personal data. Many websites use contact forms, newsletter subscriptions, analytics cookies, advertising pixels, remarketing tools, live chat services, or, in the case of e-commerce businesses, complete online purchasing processes.

All of these processing activities are subject to the General Data Protection Regulation (GDPR), the Spanish Organic Law on Data Protection and the Guarantee of Digital Rights (LOPDGDD), the Law on Information Society Services and Electronic Commerce (LSSI), and, increasingly, new European regulatory frameworks governing digital services and artificial intelligence.

One of the most striking findings in the Annual Report is that internet services account for 15% of the areas subject to the highest number of sanctions imposed by the AEPD. This figure is particularly significant because it encompasses many of the infringements commonly associated with the day-to-day operation of corporate websites, professional websites, and e-commerce platforms.

In practice, most of these enforcement proceedings stem from very similar issues:

  • Incorrect implementation of cookies.
  • Failure to obtain valid user consent.
  • Incomplete privacy policies.
  • Breaches of the duty to provide information.
  • Use of analytics or marketing tools without an appropriate legal basis.
  • Errors in identifying the data controller.

3. What Were the Most Significant AEPD Sanctions in 2025?

Among the most notable enforcement actions of the year are several cases that demonstrate the AEPD's increasingly strict approach to personal data processing in the digital environment:

  • AENA was fined €10 million for implementing a facial recognition system for passenger access and boarding without first carrying out the mandatory Data Protection Impact Assessment (DPIA).
  • Xfera Móviles was fined €4 million for breaches of confidentiality and security arising from a personal data breach.
  • Carrefour was fined €3.2 million following a security breach and for failing to exercise adequate diligence in protecting its customers' personal data.

These cases share a common pattern: inadequate technical and organisational measures, the absence of prior risk assessments, and insufficient diligence in safeguarding users' personal data.

4. E-commerce Businesses: Particularly Exposed to Compliance Risks

E-commerce businesses are subject to a particularly high level of regulatory compliance when it comes to the protection of personal data.

An e-commerce website does much more than simply install cookies. It manages user accounts, processes orders, stores postal addresses, handles payment information, sends marketing communications, relies on logistics platforms, integrates payment gateways, connects automated marketing tools, and shares information with multiple technology providers.

As a result, each of these processing activities must comply with the obligations set out in the General Data Protection Regulation (GDPR). The more processing activities your e-commerce business carries out, the greater the risk of non-compliance.

A significant number of enforcement proceedings have been brought against e-commerce businesses for failing to comply with data protection legislation. These include fines for installing cookies without obtaining users' consent, preventing users from effectively rejecting cookies, providing incomplete privacy policies, or failing to correctly identify the data controller.

For this reason, we highlight some of the enforcement decisions issued in 2025 that specifically affected e-commerce businesses:

  • MaxPower: €1,600 fine for installing cookies without consent and failing to provide granular cookie controls.
    The enforcement decision identified several compliance failures on the company's website. First, cookies were installed before users had taken any action or consented to their use. Second, technical inspections confirmed that, even after selecting the "Reject" option, the website continued to use the same cookies detected at the beginning of the session. Third, users were not able to accept or reject cookies on a granular basis, nor was there a permanent link allowing them to easily modify or withdraw their consent while browsing. Finally, the cookie policy lacked essential information, including a definition and general explanation of cookies, the identity of the third-party providers involved, and the applicable data retention periods.

  • Amor Ideal: €600 fine for an incomplete Privacy Policy.
    In this case, the fine arose from a complaint lodged by a customer who had purchased the company's "Love Coaching" services and claimed that no information had been provided regarding the processing of their personal data. The AEPD found that the invoice issued to the customer contained no information whatsoever on data protection or the company's privacy policy. Furthermore, at the time of the events, the company's website did not include a privacy policy identifying the data controller or informing users of their rights.

  • Trueba Sport: €1,200 fine for failing to identify the data controller and provide a link to the Privacy Policy.
    The AEPD concluded that Trueba Sport, the organiser of the cycling competition "Vuelta Hispania," had committed two infringements of the GDPR. First, it breached Article 5(1)(f), concerning the integrity and confidentiality of personal data, by sending an email to more than 300 recipients without using blind carbon copy (BCC). Second, it infringed Article 13 of the GDPR because the competition's website collected personal data through registration forms and equipment reservation forms without identifying the data controller or providing either a privacy policy or a legal notice.

  • Wallapop: €3,000 fine for an ineffective cookie banner.
    In this case, the AEPD imposed a fine on Wallapop for breaching Article 22 of the LSSI due to irregularities in the management of cookies on its website. The infringements stemmed from the installation of non-essential and non-technical cookies as soon as users accessed the website, before they had taken any action or given their consent. In addition, the investigation confirmed that, even when users selected the "Reject All" option, the website continued to use the same non-essential cookies that had been detected at the start of the browsing session. The cookie rejection mechanism was therefore considered ineffective. Finally, users were unable to easily modify or withdraw their cookie consent while browsing, as the cookie management panel did not allow the effective removal of cookies during the session.

  • El Debate: €3,000 fine for installing non-essential cookies without consent and preventing effective withdrawal of consent.
    The AEPD found that Ediciones Católicos y Vida Pública, S.L.U., publisher of the newspaper El Debate, had breached Article 22(2) of the LSSI. Specifically, the Agency identified irregularities relating to the installation of cookies without obtaining users' consent before they had interacted with the website or granted permission. Furthermore, the AEPD confirmed that, even when users rejected all cookies or withdrew their consent through the cookie settings banner, certain advertising and analytics cookies remained installed in their browsers.

  • Inmo-master: €1,000 fine for deficiencies in its Privacy Policy.
    In the case of Retsinnal Group, S.L.U., operator of the website www.inmo-master.com, the AEPD imposed a fine for breaching Article 13 of the GDPR due to deficiencies in its privacy policy. The policy failed to properly identify the data controller, as it did not include the company name, tax identification number (NIF), or the contact details required under the GDPR when personal data is collected through online forms.

As these cases demonstrate, five out of the six enforcement decisions relate to cookies and consent management, while the sixth concerns an incomplete or poorly drafted Privacy Policy. In short, these are compliance failures that can be avoided by implementing a robust data protection compliance strategy from the outset.

A Cookie Banner That Complies with the Law

One of the areas most heavily scrutinised by the AEPD in 2025 is the way websites obtain and manage users' consent for cookies. Simply displaying a cookie banner is no longer enough. The Agency requires consent mechanisms to be clear, informed, and granular. This means, among other things, that:

  • Accepting and rejecting cookies must be equally easy.
  • Users must be able to withdraw their consent at any time, using a process that is as simple as the one used to give it.
  • Information must be provided on each category of cookies separately, rather than grouping them together.
  • No non-essential cookies may be installed before the user's explicit consent has been obtained.

The Wallapop case demonstrates that the AEPD is no longer focusing solely on whether consent has been obtained. It also scrutinises the effectiveness of the "Reject All" button and the ease with which users can withdraw their consent—two aspects of interface design that have become key enforcement priorities.

Up-to-Date Privacy Policies and Legal Notices

Another recurring area of enforcement in the e-commerce sector concerns something as fundamental as correctly identifying the data controller and providing a complete and easily accessible Privacy Policy.

In the Trueba Sport case, the company was fined for failing to identify the data controller and for not providing a link to its Privacy Policy. In the Inmo-master case, the fine was imposed because the Privacy Policy contained significant deficiencies.

These enforcement decisions serve as a reminder that businesses must clearly inform users about who is processing their personal data, the purposes for which it is processed, the applicable data retention periods, and the rights available to them under data protection law.

2026 Compliance Checklist: What Every E-commerce Business Should Be Doing

The findings in the AEPD's Annual Report send a clear message: every e-commerce business is becoming increasingly likely to face a complaint—whether from a customer, a competitor, or the Agency itself.

Against this backdrop, ensuring that your e-commerce website complies with applicable regulations has never been more important. We therefore recommend that you:

desmarcada Keep your legal documentation up to date, including your Privacy Policy, Legal Notice, and Terms of Use.

desmarcada Implement technical and organisational security measures that are appropriate to the risks associated with your data processing activities.

desmarcada Carry out regular reviews of your website, including cookie audits and assessments of third-party tracking technologies.

desmarcada Use a cookie banner that complies with current legislation and the latest guidance issued by the European Data Protection Board (EDPB).

desmarcada Ensure that user consent is valid, freely given, specific, informed, and unambiguous.

desmarcada Comply with the accessibility requirements applicable to websites.

desmarcada Implement a withdrawal (right of cancellation) button where required by law.

desmarcada Comply with the transparency and labelling requirements of the AI Act where your processing activities involve artificial intelligence systems.

How Lawwwing Can Help your ecommerce 

At Lawwwing, we have spent years helping e-commerce businesses, SMEs, and large organisations bring their websites into line with data protection, cookie compliance, and digital regulatory requirements.

Our software enables you to configure a fully compliant cookie banner and generate key legal documents for your website, including your Privacy Policy, Legal Notice, and Terms of Use.

Don't wait until you receive a notification from the AEPD before taking the data protection compliance of your e-commerce website seriously. The figures published for 2025 clearly show that digital regulatory compliance is no longer optional—it is a key factor in protecting your business's reputation, reducing legal risk, and ensuring its long-term success.

👉 Get in touch with the Lawwwing team today and discover how we can help safeguard your e-commerce business against AEPD enforcement and regulatory fines.

⬇️Download our free infographic summarizing the AEPD's 2025 sanctions and keep the checklist handy to avoid fines in 2026.

How can we help you?
If you have any questions, our specialists are here to assist you whenever you need it.
Live Chat
Share this article
Blog

Related Articles

Businesses trust Lawwwing to ensure their legal compliance, keeping their documents up-to-date and avoiding penalties.
cross