If you run a website in Spain, you are legally required to publish three separate documents: a legal notice (aviso legal), a privacy policy and a cookie policy. All three form part of your website's legal texts, but each one serves a different purpose and is governed by different legislation. Mixing them up — or copying a generic template from the internet — can result in a fine from Spain's data protection authority (AEPD). Here's exactly what sets them apart and what each one must contain.
The legal notice (aviso legal) is the document that identifies who owns and operates the website. It is required under Article 10 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), and is mandatory for any website with activity in Spain — regardless of whether you sell products, collect data or simply publish content.
A legal notice must include, at a minimum:
Failure to comply with the LSSI-CE can result in fines of up to €150,000 in the most serious cases.
What a legal notice is NOT: it does not regulate the processing of personal data, nor does it inform users about the use of cookies. Those are covered by the other two documents.
The privacy policy is the document that tells users how you collect, use and protect their personal data. It is mandatory for any website that collects data — even if it's just an email address through a basic contact form.
Its legal basis is the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), which adapts the GDPR to Spanish law.
A privacy policy must inform users of:
The AEPD issued 299 sanctions totalling €40 million in 2025, many of them for privacy policies that were missing, incomplete or copied without being adapted to the actual business. A generic policy downloaded from the internet does not comply with GDPR requirements unless it accurately reflects how you actually process data.
The cookie policy informs users about which cookies your website uses, what they are for and how users can manage them. It is mandatory under Article 22.2 of the LSSI-CE and must comply with the Cookie Usage Guide published by the AEPD (current version).
A cookie policy is not the same as a cookie banner, though the two are related:
A cookie policy must include:
The AEPD has issued fines of up to €90,000 for installing cookies without prior consent, and has ruled that even using Google Analytics without proper configuration can constitute a violation.
| Feature | Legal Notice | Privacy Policy | Cookie Policy |
|---|---|---|---|
| Purpose | Identify the website owner | Inform users about personal data processing | Inform users about cookie usage |
| Legal basis | LSSI-CE (Art. 10) | GDPR + LOPDGDD | LSSI-CE (Art. 22) + AEPD Cookie Guide |
| Always mandatory? | Yes, for every website | Only if personal data is collected | Only if the website uses cookies |
| Requires active consent? | No | No (except for data processing itself) | Yes, for non-essential cookies |
| Maximum fine for non-compliance | Up to €150,000 (LSSI) | Up to €20M or 4% of global turnover (GDPR) | Up to €20M or 4% of global turnover (GDPR) |
| Must be updated when? | When owner's details change | With every change in data processing | With every change in cookies used |
There is no legal obligation to have them on separate pages, but best practice — and the most common approach — is to publish them as individual pages or at least clearly distinct sections. The AEPD requires that information be easily accessible, readable and understandable.
Some CMS platforms like WordPress or Shopify combine the privacy policy and cookie policy into a single "Privacy and Cookie Policy" page. This is acceptable provided both documents are complete and clearly differentiated within the page.
What is not acceptable:
Does my personal blog also need all three documents? Yes. If your blog uses cookies — which is almost inevitable with WordPress, Google Analytics or any social sharing plugin — and if you have a contact form or newsletter sign-up, you need all three documents. The legal notice is always required, regardless of the type of website.
What happens if I copy the legal texts from another website? Copying another website's legal texts is a serious mistake on two levels: legally, the owner's details won't match yours, which is a direct violation of the LSSI-CE; technically, if the other site uses different tools from yours, the cookie policy will be inaccurate and non-compliant. The AEPD can sanction you even if you have the documents, if they are inaccurate or outdated.
How often should I update these documents? You should review your legal texts whenever: (1) you add or change tools that collect data or install cookies (CRM, ad pixels, live chat…); (2) there is a relevant regulatory update (new AEPD cookie guide, GDPR amendments…); or (3) the website owner's details change. At a minimum, an annual review is strongly recommended.
Does a cookie banner replace the need for a cookie policy? No. They are complementary. The banner collects consent; the cookie policy is the detailed document that the banner must link to. Without the policy, the banner does not meet AEPD requirements.
What's the difference between a privacy policy and a cookie policy in relation to GDPR? Both relate to GDPR, but they cover different aspects. The privacy policy governs personal data processing in general — forms, orders, user registrations. The cookie policy focuses specifically on the data processing that results from installing cookies, which may also involve personal data if cookies are used for tracking or identification. In practice, many websites merge them into a single "Privacy and Cookie Policy" document.
A legal notice, privacy policy and cookie policy are distinct obligations under different laws, but they share the same goal: ensuring that your website's users know their rights and understand how you handle their information.
In 2026, with the AEPD tightening its enforcement — 299 sanctions and €40 million in fines in 2025 alone — having outdated or copied legal texts is a real risk for any business, large or small.
The good news is that you don't need to write them from scratch or hire a lawyer every time the law changes. Lawwwing automatically generates a customised legal notice, privacy policy and cookie policy for your website, keeps them updated as regulations evolve, and integrates them with your cookie banner on WordPress, Shopify, Wix and more. Try it free and have your website compliant in under 10 minutes.
Sources: LSSI-CE - BOE | GDPR - EUR-Lex | AEPD Cookie Guide | LOPDGDD - BOE
