

The Spanish Data Protection Agency (AEPD) has made it clear that regulatory compliance on the internet must be one of companies' top priorities. The publication of its Annual Report confirms a trend that has been strengthening for years: complaints continue to rise, inspections are becoming more frequent, and non-compliance on websites and e-commerce platforms remains one of the supervisory authority's main areas of enforcement.
Before looking at e-commerce in detail, it is worth reviewing the broader context of the AEPD's enforcement activity over the past year. In 2025, a total of 30,931 complaints were filed, representing a 64% increase compared with the previous year. As a result, the Agency resolved 23,361 complaints, the highest number in its history.
In addition, the total amount of fines imposed reached €33.9 million, reflecting the Agency's growing enforcement activity and the importance it places on protecting personal data. Although the largest fines were concentrated in sectors such as transport, telecommunications, and major digital platforms, infringements committed by e-commerce businesses continue to account for a significant number of enforcement proceedings.
Data protection legislation does not only apply to large companies; it applies to any organisation that operates a website collecting personal data. Many websites use contact forms, newsletter subscriptions, analytics cookies, advertising pixels, remarketing tools, live chat services, or, in the case of e-commerce businesses, complete online purchasing processes.
All of these processing activities are subject to the General Data Protection Regulation (GDPR), the Spanish Organic Law on Data Protection and the Guarantee of Digital Rights (LOPDGDD), the Law on Information Society Services and Electronic Commerce (LSSI), and, increasingly, new European regulatory frameworks governing digital services and artificial intelligence.
One of the most striking findings in the Annual Report is that internet services account for 15% of the areas subject to the highest number of sanctions imposed by the AEPD. This figure is particularly significant because it encompasses many of the infringements commonly associated with the day-to-day operation of corporate websites, professional websites, and e-commerce platforms.
In practice, most of these enforcement proceedings stem from very similar issues:
Among the most notable enforcement actions of the year are several cases that demonstrate the AEPD's increasingly strict approach to personal data processing in the digital environment:
These cases share a common pattern: inadequate technical and organisational measures, the absence of prior risk assessments, and insufficient diligence in safeguarding users' personal data.
E-commerce businesses are subject to a particularly high level of regulatory compliance when it comes to the protection of personal data.
An e-commerce website does much more than simply install cookies. It manages user accounts, processes orders, stores postal addresses, handles payment information, sends marketing communications, relies on logistics platforms, integrates payment gateways, connects automated marketing tools, and shares information with multiple technology providers.
As a result, each of these processing activities must comply with the obligations set out in the General Data Protection Regulation (GDPR). The more processing activities your e-commerce business carries out, the greater the risk of non-compliance.
A significant number of enforcement proceedings have been brought against e-commerce businesses for failing to comply with data protection legislation. These include fines for installing cookies without obtaining users' consent, preventing users from effectively rejecting cookies, providing incomplete privacy policies, or failing to correctly identify the data controller.
For this reason, we highlight some of the enforcement decisions issued in 2025 that specifically affected e-commerce businesses:
As these cases demonstrate, five out of the six enforcement decisions relate to cookies and consent management, while the sixth concerns an incomplete or poorly drafted Privacy Policy. In short, these are compliance failures that can be avoided by implementing a robust data protection compliance strategy from the outset.
One of the areas most heavily scrutinised by the AEPD in 2025 is the way websites obtain and manage users' consent for cookies. Simply displaying a cookie banner is no longer enough. The Agency requires consent mechanisms to be clear, informed, and granular. This means, among other things, that:
The Wallapop case demonstrates that the AEPD is no longer focusing solely on whether consent has been obtained. It also scrutinises the effectiveness of the "Reject All" button and the ease with which users can withdraw their consent—two aspects of interface design that have become key enforcement priorities.
Another recurring area of enforcement in the e-commerce sector concerns something as fundamental as correctly identifying the data controller and providing a complete and easily accessible Privacy Policy.
In the Trueba Sport case, the company was fined for failing to identify the data controller and for not providing a link to its Privacy Policy. In the Inmo-master case, the fine was imposed because the Privacy Policy contained significant deficiencies.
These enforcement decisions serve as a reminder that businesses must clearly inform users about who is processing their personal data, the purposes for which it is processed, the applicable data retention periods, and the rights available to them under data protection law.
The findings in the AEPD's Annual Report send a clear message: every e-commerce business is becoming increasingly likely to face a complaint—whether from a customer, a competitor, or the Agency itself.
Against this backdrop, ensuring that your e-commerce website complies with applicable regulations has never been more important. We therefore recommend that you:
Keep your legal documentation up to date, including your Privacy Policy, Legal Notice, and Terms of Use.
Implement technical and organisational security measures that are appropriate to the risks associated with your data processing activities.
Carry out regular reviews of your website, including cookie audits and assessments of third-party tracking technologies.
Use a cookie banner that complies with current legislation and the latest guidance issued by the European Data Protection Board (EDPB).
Ensure that user consent is valid, freely given, specific, informed, and unambiguous.
Comply with the accessibility requirements applicable to websites.
Implement a withdrawal (right of cancellation) button where required by law.
Comply with the transparency and labelling requirements of the AI Act where your processing activities involve artificial intelligence systems.
At Lawwwing, we have spent years helping e-commerce businesses, SMEs, and large organisations bring their websites into line with data protection, cookie compliance, and digital regulatory requirements.
Our software enables you to configure a fully compliant cookie banner and generate key legal documents for your website, including your Privacy Policy, Legal Notice, and Terms of Use.
Don't wait until you receive a notification from the AEPD before taking the data protection compliance of your e-commerce website seriously. The figures published for 2025 clearly show that digital regulatory compliance is no longer optional—it is a key factor in protecting your business's reputation, reducing legal risk, and ensuring its long-term success.
👉 Get in touch with the Lawwwing team today and discover how we can help safeguard your e-commerce business against AEPD enforcement and regulatory fines.

⬇️Download our free infographic summarizing the AEPD's 2025 sanctions and keep the checklist handy to avoid fines in 2026.