<\/p>\n\n\n\n
If you run a website in Spain, you are legally required to publish three separate documents: a legal notice<\/strong> (aviso legal<\/em>), a privacy policy<\/strong> and a cookie policy<\/strong>. All three form part of your website's legal texts, but each one serves a different purpose and is governed by different legislation. Mixing them up \u2014 or copying a generic template from the internet \u2014 can result in a fine from Spain's data protection authority (AEPD). Here's exactly what sets them apart and what each one must contain.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n The legal notice<\/strong> (aviso legal<\/em>) is the document that identifies who owns and operates the website. It is required under Article 10 of Law 34\/2002 on Information Society Services and Electronic Commerce (LSSI-CE)<\/strong>, and is mandatory for any website with activity in Spain \u2014 regardless of whether you sell products, collect data or simply publish content.<\/p>\n\n\n\n A legal notice must include, at a minimum:<\/p>\n\n\n\n Failure to comply with the LSSI-CE can result in fines of up to \u20ac150,000<\/strong> in the most serious cases.<\/p>\n\n\n\n What a legal notice is NOT:<\/strong> it does not regulate the processing of personal data, nor does it inform users about the use of cookies. Those are covered by the other two documents.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n The privacy policy<\/strong> is the document that tells users how you collect, use and protect their personal data. It is mandatory for any website that collects data \u2014 even if it's just an email address through a basic contact form.<\/p>\n\n\n\n Its legal basis is the General Data Protection Regulation (GDPR, EU Regulation 2016\/679)<\/strong> and Organic Law 3\/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD)<\/strong>, which adapts the GDPR to Spanish law.<\/p>\n\n\n\n A privacy policy must inform users of:<\/p>\n\n\n\n The AEPD issued 299 sanctions totalling \u20ac40 million in 2025<\/strong>, many of them for privacy policies that were missing, incomplete or copied without being adapted to the actual business. A generic policy downloaded from the internet does not comply with GDPR requirements unless it accurately reflects how you actually process data.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n The cookie policy<\/strong> informs users about which cookies your website uses, what they are for and how users can manage them. It is mandatory under Article 22.2 of the LSSI-CE<\/strong> and must comply with the Cookie Usage Guide published by the AEPD<\/strong> (current version).<\/p>\n\n\n\n A cookie policy is not the same as a cookie banner, though the two are related:<\/p>\n\n\n\n A cookie policy must include:<\/p>\n\n\n\n The AEPD has issued fines of up to \u20ac90,000 for installing cookies without prior consent<\/strong>, and has ruled that even using Google Analytics without proper configuration can constitute a violation.<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n
\n\n\n\nWhat Is a Legal Notice and Why Is It Mandatory for Every Website?<\/h2>\n\n\n\n
\n
\n\n\n\nWhat Is a Privacy Policy and When Is It Required?<\/h2>\n\n\n\n
\n
\n\n\n\nWhat Is a Cookie Policy and What Does the AEPD Require?<\/h2>\n\n\n\n
\n
\n
\n\n\n\nComparison Table: Legal Notice vs Privacy Policy vs Cookie Policy<\/h2>\n\n\n\n