If you run a website in Spain, you are legally required to publish a set of documents that inform your users of their rights and explain how you handle their information. It does not matter whether you are a freelancer, a small business or a large online store: the law applies to everyone equally. This guide covers which legal documents your website needs, what each one must contain, which regulations apply and how to keep them up to date without the headache.
Website legal documents are the texts that the owner of a website is required to publish in order to comply with Spanish and European law. They inform users about the identity of the person or company behind the website, how personal data is processed, which cookies are used and, in the case of online shops, under what conditions purchases are made.
The legal framework rests on three core pieces of legislation:
LSSI-CE (Law 34/2002 on Information Society Services and Electronic Commerce): requires website owners to identify themselves and to inform users about cookie usage.
GDPR (General Data Protection Regulation, EU 2016/679): governs the processing of personal data and requires website owners to inform users about how their data is used.
LOPDGDD (Organic Law 3/2018 on Personal Data Protection and Digital Rights): adapts the GDPR to the Spanish legal system.
Non-compliance can result in fines of up to 20 million euros or 4% of global annual turnover in the most serious cases. In 2025, Spain's data protection authority (AEPD) issued 299 sanctions totalling 40 million euros, a 14% increase on the previous year. Notably, 72% of those sanctions were directed at small businesses and freelancers.
Not every website requires exactly the same documents. The table below summarises what you need based on your situation:
| Website type | Legal Notice | Privacy Policy | Cookie Policy | T&Cs / Terms of Use | Accessibility Statement | AI Policy |
|---|---|---|---|---|---|---|
| Personal blog with no forms or cookies | Required | Not applicable | Not applicable | Not applicable | Recommended | If using AI |
| Business site with contact form | Required | Required | If using cookies | Not applicable | Recommended | If using AI |
| Online shop (ecommerce) | Required | Required | Required | Required | Required from Jun. 2025 | If using AI |
| SaaS / web app with user accounts | Required | Required | Required | Required (Terms of Use) | Required from Jun. 2025 | If using AI systems |
| Blog with newsletter | Required | Required | If using cookies | Not applicable | Recommended | If using AI |
In practice, almost any modern website uses cookies, even if only through Google Analytics or a WordPress plugin, so the first three documents are necessary in the vast majority of cases.
The legal notice identifies the owner of the website to its users. It is required under Article 10 of the LSSI-CE and is mandatory for every website operating in Spain, with no exceptions.
The legal notice must be easily accessible from any page on the website, typically through a link in the footer.
The LSSI-CE classifies the absence or incompleteness of a legal notice as a serious infringement, carrying fines of up to 150,000 euros. In practice, the AEPD and Spain's Secretariat of State for Telecommunications can open enforcement proceedings following a complaint or a routine inspection.
The privacy policy informs users about how you collect, use and protect their personal data. It is mandatory for any website that collects data, even if that is limited to an email address submitted through a basic contact form.
Under Article 13 of the GDPR, a privacy policy must set out:
The cookie policy describes which cookies your website installs, what they are for and how users can manage them. It is mandatory for any website that uses non-essential cookies, which covers almost any site running Google Analytics, advertising pixels, social media buttons or live chat.
The legal basis is Article 22.2 of the LSSI-CE, together with the Cookie Usage Guide published by the AEPD, which sets out both the technical and disclosure requirements.
The cookie banner is the pop-up or bar that requests user consent when they first visit the website. The cookie policy is the full document that describes all cookies in detail. Both are mandatory and complementary: the banner must link to the policy, and users must be able to withdraw their consent just as easily as they gave it.
The AEPD has issued fines of up to 90,000 euros for installing cookies without prior consent, and considers it an infringement both to have no banner at all and to design banners that make rejection unnecessarily difficult, known as dark patterns.
If your website sells products or services, you need a fourth document:
Terms and Conditions (or Conditions of Sale): required for online shops selling physical or digital products. Governed by Spain's General Law for the Defence of Consumers and Users (LGDCU).
Terms of Use: for platforms, SaaS products or subscription services. These set out the conditions under which users may access and use the service.
Terms and conditions must include information on pricing, delivery timescales, returns policy and the 14-day statutory right of withdrawal. From June 2026, new European legislation will also require ecommerce operators to include a clearly visible withdrawal button directly within the customer account area.
Web accessibility has moved from best practice to a full legal obligation. Since 28 June 2025, the European Accessibility Act (Directive EU 2019/882, also known as the EAA) has applied to private sector digital services across the European Union, including online shops, service platforms and web applications.
This means your website must be perceivable, operable, understandable and robust in line with the WCAG 2.1 criteria at Level AA as a minimum. And you must be able to demonstrate compliance through an accessibility statement: a public document that sets out the conformance level of your website, any parts that are not yet accessible and a contact mechanism through which users can request accessible alternatives or report problems.
Penalties for non-compliance with accessibility law can reach 100,000 euros under Spanish implementing legislation, and the regulatory trend points toward increasingly active enforcement.
For public sector websites, an accessibility statement was already required under Royal Decree 1112/2018. For the private sector, the 2025 EAA marks a turning point that should not be overlooked.
The EU Artificial Intelligence Act (Regulation EU 2024/1689, known as the AI Act) is the first legislation of its kind to regulate the use of AI systems in a comprehensive and horizontal way. Its application is phased: absolute prohibitions came into force in February 2025, and obligations for high-risk AI systems will be fully applicable from August 2026.
If your website uses AI systems that interact with users or make decisions that affect them, you may be subject to transparency obligations that should be reflected in your legal documents. This applies, among other situations, to:
Chatbots and virtual assistants: if a user could be interacting with an AI system without realising it, the AI Act requires clear and prominent disclosure.
Recommendation systems: if your website personalises content, products or prices using AI, it is good practice and in some cases mandatory to make this clear to users.
Automated decisions with significant effects: the GDPR already required disclosure of these in the privacy policy; the AI Act strengthens and broadens those obligations.
Synthetic content: if you publish images, videos or text generated by AI, the AI Act requires them to be clearly labelled as such.
There is not yet a universal obligation to publish a document explicitly titled "AI Policy," but the AI Act, the GDPR and the AEPD's published guidance all create transparency obligations that need to be addressed. The most practical approach is threefold: update your privacy policy to mention any AI tools that process user data; add a section in your legal notice or a dedicated page covering the AI systems used on the site and their purpose; and clearly label any content that has been fully or partially generated by AI.
The AEPD has published specific guidance on AI and data protection, signalling closer scrutiny in this area throughout 2026. Getting ahead of these obligations protects against sanctions and builds user trust at the same time.
Your website's legal documents are not static. They should be reviewed and updated whenever:
At a minimum, a full annual review of all documents is strongly recommended.
Does a personal blog also need legal documents? Yes. If your blog uses cookies, which is almost inevitable with WordPress, Blogger or similar platforms, you need at least a legal notice and a cookie policy. If you also have a contact form or newsletter sign-up, you need a privacy policy as well. There is no exemption for personal or non-commercial use.
Can I use a free legal document template downloaded from the internet? It is best to avoid this. Generic templates do not reflect the specifics of your business, the tools you use or the data controller's details. A privacy policy that does not match the reality of your website can be sanctioned just as readily as having no policy at all. The AEPD assesses the accuracy and completeness of documents, not merely their existence.
Do my legal documents need to be in Spanish? If your website is aimed at Spanish or European audiences, the documents must be in a language that those users can understand. In Spain, Spanish is the default. If you run a multilingual website, it is strongly recommended that your legal documents are available in every language your site supports.
Do I need a lawyer to write my website's legal documents? Not necessarily. Specialised tools can generate personalised legal documents based on the specifics of your website, including your business type, the tools you use, the data you collect and the applicable regulations. These solutions are faster and more cost-effective than commissioning each document from a lawyer, and they can update automatically when the law changes.
What if I have legal documents but they are out of date? An outdated legal document can be just as problematic as not having one. If your cookie policy lists tools you no longer use or omits tools you do use, the AEPD treats that as non-compliance. Sanctions arise not only from the absence of documents but also from documents that are inaccurate or incomplete.
How do I know whether my website is compliant? The simplest approach is a compliance audit: check whether you have the right documents for your type of website, whether your cookie banner collects consent correctly and whether all your forms include the required data collection clauses. Tools such as the Lawwwing compliance scanner can give you an automatic diagnostic of your website's legal status.
Your website's legal documents are not a bureaucratic formality. They are the foundation of user trust and your first line of defence against regulatory action. In an environment where the AEPD has stepped up enforcement and 72% of fines fall on small businesses and freelancers, keeping a legal notice, privacy policy, cookie policy, terms and conditions, accessibility statement and AI disclosures properly written and up to date is an investment, not a cost.
If you want all your website's legal documents generated, personalised and updated automatically, including a cookie banner that meets AEPD requirements and is compatible with Google Consent Mode v2, try Lawwwing for free. Your website can be fully compliant in under 10 minutes, with direct integration for WordPress, Shopify, Wix, WooCommerce, PrestaShop and more.
Sources: LSSI-CE (BOE) | GDPR (EUR-Lex) | LOPDGDD (BOE) | AEPD Cookie Guide | European Accessibility Act (EUR-Lex) | EU AI Act (EUR-Lex)
