Opening an ecommerce in Spain, whether with WooCommerce, Shopify, PrestaShop, or any other platform, means complying with a set of legal obligations that go far beyond having a good design or a payment gateway. If your ecommerce site lacks the correct legal texts, you risk fines of up to €20 million or 4% of your annual turnover, as well as losing your customers' trust.
The mandatory legal texts for an online store in Spain are: a legal notice, a privacy policy, a cookie policy, and terms of sale. Additionally, from June 2026, there is a new requirement for a visible withdrawal button in the customer account area.
This guide explains exactly what your online store needs, what the regulations say, and how to implement everything simply.
Why does your online store need specific legal texts?
An online store collects far more personal data than an informational website and creates contractual relationships with its buyers. For this reason, Spanish regulations require more comprehensive legal texts than a simple blog would need.
The laws governing legal compliance for your ecommerce are:
Failure to comply with any of these rules can result in financial penalties and complaints from users or competitors to the AEPD (Spain's data protection authority).
Mandatory legal texts for your online store
1. Legal Notice
The legal notice is the legal identity card of your online store. It must be accessible from any page (normally in the footer) and include:
Legal basis: Article 10 of the LSSI-CE. Penalty for non-compliance: up to €10,000 for minor infringements, up to €50,000 for serious infringements.
2. Privacy Policy
Your online store collects personal data at multiple touchpoints: user registration, the checkout process, contact forms, and newsletter sign-ups. For each of these, the user has the right to know how their data is used.
The privacy policy must include:
Legal basis: GDPR and LOPDGDD. Penalty for serious non-compliance: up to €20 million or 4% of annual turnover.
3. Cookie Policy and Cookie Banner
Every online store uses cookies: analytics tools (Google Analytics), advertising pixels (Meta Pixel, Google Ads), shopping cart session cookies, and so on.
The cookie policy must:
The cookie banner must:
Real AEPD penalties for cookie violations: €4,000 fine against La Vanguardia for pre-ticking cookie boxes; €90,000 against a company for installing cookies without prior consent. The AEPD penalises large companies and SMEs/freelancers alike.
4. Terms of Sale (or General Terms and Conditions)
This is the legal text that distinguishes an online store from a corporate website. It sets out the rules of the commercial relationship with your customer and must include:
| Element | What to include |
|---|---|
| Purchase process | Steps to complete an order, order confirmation |
| Prices | Final price including VAT and itemised shipping costs |
| Payment methods | Available options and payment security |
| Delivery times | Maximum timeframe (by law, 30 days if not specified) |
| Returns | Your own policy + 14-day right of withdrawal |
| Guarantees | 3 years for new products (since 2022, previously 2) |
| Complaints | How to submit a complaint and response timeframe |
Important update for 2026: new ecommerce regulations require a visible and accessible withdrawal button in the customer account area. Consumers must be able to exercise their right to return in a single click, without having to search for forms or send emails. Stores that do not implement this before June 2026 may face penalties.
Legal basis: Royal Legislative Decree 1/2007. If you do not inform customers of the right of withdrawal, the withdrawal period is automatically extended from 14 days to 12 months.
How to implement legal texts in WooCommerce
If your store runs on WooCommerce with WordPress, here are the specific steps to take:
1. Create dedicated pages for each legal text. Create WordPress pages for the legal notice, privacy policy, cookie policy, and terms of sale. Make sure they are accessible from the footer on every page.
2. Link the privacy policy in forms. WooCommerce includes registration, checkout, and contact forms. Each must have a consent checkbox linked to your privacy policy. Consent must be active (not pre-ticked).
3. Set up a cookie banner compatible with Consent Mode v2. WooCommerce does not include GDPR-compliant cookie management by default. You need a Consent Management Platform (CMP) that meets AEPD guidelines and integrates with Google Consent Mode v2.
4. Include legal texts in the checkout process. On the checkout page, customers must be able to view and accept the terms of sale before confirming their order.
5. Keep them up to date. Regulations change. Every regulatory update must be reflected in your legal texts. If you use an automated solution, this step takes care of itself.
The simplest approach: use Lawwwing, which integrates directly with WordPress and WooCommerce to generate and keep all legal texts and the cookie banner up to date in line with AEPD requirements, without any manual work on your part.
What happens if you copy legal texts from another store?
This is a very common mistake with two types of consequences:
Legal: another store's texts don't reflect how you handle your customers' data or your specific terms of sale. If the AEPD inspects you, any gap between what you describe and what you actually do can make the penalty worse.
Commercial: if you copy a competitor's texts, you're committing to their terms — their delivery times, their returns policy, their data processor. This can create unnecessary disputes with your customers.
Legal texts must always be tailored to your actual business.
Checklist: is your online store legally compliant?
Before considering this topic closed, run through this list:
Frequently asked questions about legal texts for online stores
Are legal texts mandatory for a small online store? Yes, absolutely. The regulations apply equally to a store making 10 sales a month as to Amazon. Business size does not exempt you from legal obligations. In fact, SMEs and sole traders account for a significant proportion of AEPD penalties, precisely because they tend to neglect compliance more often.
How much does it cost to draft legal texts for an online store? With a specialist lawyer, initial drafting can cost between €300 and €1,000, not including ongoing maintenance. SaaS solutions like Lawwwing offer automatic generation with updates included from just a few euros per month, which works out cheaper and safer in the long run.
Do I need terms of sale if I only sell digital products (courses, ebooks)? Yes. Whether you sell physical or digital products, you need terms of sale. For digital products there are exceptions to the right of withdrawal (for example, if the user has already downloaded the content), but those exceptions must be explicitly stated in your terms.
How often should I update my online store's legal texts? Whenever something relevant changes: your business activity, applicable regulations, or your data providers (switching payment gateways, shipping companies, adding Google Analytics, etc.). At a minimum, review them every 6 months. An automated solution updates them in real time.
Is the cookie banner the same as the cookie policy? No. The banner is the notification that appears to users on their first visit, allowing them to accept, reject, or configure cookies. The cookie policy is the full document that explains in detail all the cookies your website uses. You need both: the banner to obtain consent, and the policy to provide detailed information.
Conclusion
An online store without adequate legal texts doesn't just face significant financial penalties — it also loses customer trust and is exposed to legal disputes with every transaction. The legal notice, privacy policy, cookie policy, and terms of sale are the legal foundation of your ecommerce, and keeping them up to date with current regulations is an ongoing obligation.
With Lawwwing you can generate all the legal texts for your online store in minutes, fully tailored to your business and to current Spanish regulations for 2026, with automatic updates included. Compatible with WooCommerce, Shopify, PrestaShop, Wix, and more.
Want to know if your store is compliant? Try Lawwwing for free at lawwwing.com and eliminate the risk of AEPD penalties.
