{"id":12223,"date":"2026-07-13T09:19:12","date_gmt":"2026-07-13T08:19:12","guid":{"rendered":"https:\/\/lawwwing.com\/?p=12223"},"modified":"2026-07-13T09:19:24","modified_gmt":"2026-07-13T08:19:24","slug":"aepd-penalties-2025","status":"publish","type":"post","link":"https:\/\/lawwwing.com\/en\/aepd-penalties-2025\/","title":{"rendered":"Cookies, Banners and Legal Texts: What the AEPD Penalised in 2025"},"content":{"rendered":"\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The Spanish Data Protection Agency (AEPD) has made it clear that regulatory compliance on the internet must be one of companies' top priorities. The publication of its <a href=\"https:\/\/www.aepd.es\/memorias\/memoria-aepd-2025.pdf\"><strong>Annual Report<\/strong><\/a><strong> <\/strong>confirms a trend that has been strengthening for years: complaints continue to rise, inspections are becoming more frequent, and non-compliance on websites and e-commerce platforms remains one of the supervisory authority's main areas of enforcement.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">1. 2025: Record figures in data protection<\/h2>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Before looking at e-commerce in detail, it is worth reviewing the broader context of the AEPD's enforcement activity over the past year. In 2025, a total of <strong>30,931 complaints<\/strong> were filed, representing a <strong>64% increase<\/strong> compared with the previous year. As a result, the Agency resolved <strong>23,361 complaints<\/strong>, the highest number in its history.<\/p>\n\n\n\n<p>In addition, the total amount of fines imposed reached <strong>\u20ac33.9 million<\/strong>, reflecting the Agency's growing enforcement activity and the importance it places on protecting personal data. Although the largest fines were concentrated in sectors such as transport, telecommunications, and major digital platforms, infringements committed by e-commerce businesses continue to account for a significant number of enforcement proceedings.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">2. Websites as a Key Focus of Enforcement<\/h2>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Data protection legislation does not only apply to large companies; it applies to any organisation that operates a website collecting personal data. Many websites use contact forms, newsletter subscriptions, analytics cookies, advertising pixels, remarketing tools, live chat services, or, in the case of e-commerce businesses, complete online purchasing processes.<\/p>\n\n\n\n<p>All of these processing activities are subject to the General Data Protection Regulation (GDPR), the Spanish Organic Law on Data Protection and the Guarantee of Digital Rights (LOPDGDD), the Law on Information Society Services and Electronic Commerce (LSSI), and, increasingly, new European regulatory frameworks governing digital services and artificial intelligence.<\/p>\n\n\n\n<p>One of the most striking findings in the Annual Report is that internet services account for <strong>15% <\/strong>of the areas subject to the highest number of sanctions imposed by the AEPD. This figure is particularly significant because it encompasses many of the infringements commonly associated with the day-to-day operation of corporate websites, professional websites, and e-commerce platforms.<\/p>\n\n\n\n<p>In practice, most of these enforcement proceedings stem from very similar issues:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Incorrect implementation of cookies.<\/li>\n\n\n\n<li>Failure to obtain valid user consent.<\/li>\n\n\n\n<li>Incomplete privacy policies.<\/li>\n\n\n\n<li>Breaches of the duty to provide information.<\/li>\n\n\n\n<li>Use of analytics or marketing tools without an appropriate legal basis.<\/li>\n\n\n\n<li>Errors in identifying the data controller.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">3. What Were the Most Significant AEPD Sanctions in 2025?<\/h2>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Among the most notable enforcement actions of the year are several cases that demonstrate the AEPD's increasingly strict approach to personal data processing in the digital environment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AENA <\/strong>was fined \u20ac10 million for implementing a facial recognition system for passenger access and boarding without first carrying out the mandatory Data Protection Impact Assessment (DPIA).<\/li>\n\n\n\n<li><strong>Xfera M\u00f3viles<\/strong> was fined \u20ac4 million for breaches of confidentiality and security arising from a personal data breach.<\/li>\n\n\n\n<li><strong>Carrefour <\/strong>was fined \u20ac3.2 million following a security breach and for failing to exercise adequate diligence in protecting its customers' personal data.<\/li>\n<\/ul>\n\n\n\n<p>These cases share a common pattern: inadequate technical and organisational measures, the absence of prior risk assessments, and insufficient diligence in safeguarding users' personal data.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">4. E-commerce Businesses: Particularly Exposed to Compliance Risks<\/h2>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>E-commerce businesses are subject to a particularly high level of regulatory compliance when it comes to the protection of personal data.<\/p>\n\n\n\n<p>An e-commerce website does much more than simply install cookies. It manages user accounts, processes orders, stores postal addresses, handles payment information, sends marketing communications, relies on logistics platforms, integrates payment gateways, connects automated marketing tools, and shares information with multiple technology providers.<\/p>\n\n\n\n<p>As a result, each of these processing activities must comply with the obligations set out in the General Data Protection Regulation (GDPR). The more processing activities your e-commerce business carries out, the greater the risk of non-compliance.<\/p>\n\n\n\n<p>A significant number of enforcement proceedings have been brought against e-commerce businesses for failing to comply with data protection legislation. These include fines for installing cookies without obtaining users' consent, preventing users from effectively rejecting cookies, providing incomplete privacy policies, or failing to correctly identify the data controller.<\/p>\n\n\n\n<p>For this reason, we highlight some of the enforcement decisions issued in 2025 that specifically affected e-commerce businesses:<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<ul class=\"wp-block-list\">\n<li><strong>MaxPower: \u20ac1,600 fine for installing cookies without consent and failing to provide granular cookie controls.<br><\/strong>The enforcement decision identified several compliance failures on the company's website. First, cookies were installed before users had taken any action or consented to their use. Second, technical inspections confirmed that, even after selecting the \"Reject\" option, the website continued to use the same cookies detected at the beginning of the session. Third, users were not able to accept or reject cookies on a granular basis, nor was there a permanent link allowing them to easily modify or withdraw their consent while browsing. Finally, the cookie policy lacked essential information, including a definition and general explanation of cookies, the identity of the third-party providers involved, and the applicable data retention periods.<br><br><\/li>\n\n\n\n<li><strong>Amor Ideal: \u20ac600 fine for an incomplete Privacy Policy.<\/strong><br>In this case, the fine arose from a complaint lodged by a customer who had purchased the company's \"Love Coaching\" services and claimed that no information had been provided regarding the processing of their personal data. The AEPD found that the invoice issued to the customer contained no information whatsoever on data protection or the company's privacy policy. Furthermore, at the time of the events, the company's website did not include a privacy policy identifying the data controller or informing users of their rights.<br><br><\/li>\n\n\n\n<li><strong>Trueba Sport: \u20ac1,200 fine for failing to identify the data controller and provide a link to the Privacy Policy.<\/strong><br>The AEPD concluded that Trueba Sport, the organiser of the cycling competition \"Vuelta Hispania,\" had committed two infringements of the GDPR. First, it breached Article 5(1)(f), concerning the integrity and confidentiality of personal data, by sending an email to more than 300 recipients without using blind carbon copy (BCC). Second, it infringed Article 13 of the GDPR because the competition's website collected personal data through registration forms and equipment reservation forms without identifying the data controller or providing either a privacy policy or a legal notice.<br><br><\/li>\n\n\n\n<li><strong>Wallapop: \u20ac3,000 fine for an ineffective cookie banner.<\/strong><br>In this case, the AEPD imposed a fine on Wallapop for breaching Article 22 of the LSSI due to irregularities in the management of cookies on its website. The infringements stemmed from the installation of non-essential and non-technical cookies as soon as users accessed the website, before they had taken any action or given their consent. In addition, the investigation confirmed that, even when users selected the \"Reject All\" option, the website continued to use the same non-essential cookies that had been detected at the start of the browsing session. The cookie rejection mechanism was therefore considered ineffective. Finally, users were unable to easily modify or withdraw their cookie consent while browsing, as the cookie management panel did not allow the effective removal of cookies during the session.<br><br><\/li>\n\n\n\n<li><strong>El Debate: \u20ac3,000 fine for installing non-essential cookies without consent and preventing effective withdrawal of consent.<\/strong><br>The AEPD found that Ediciones Cat\u00f3licos y Vida P\u00fablica, S.L.U., publisher of the newspaper El Debate, had breached Article 22(2) of the LSSI. Specifically, the Agency identified irregularities relating to the installation of cookies without obtaining users' consent before they had interacted with the website or granted permission. Furthermore, the AEPD confirmed that, even when users rejected all cookies or withdrew their consent through the cookie settings banner, certain advertising and analytics cookies remained installed in their browsers.<br><br><\/li>\n\n\n\n<li><strong>Inmo-master: \u20ac1,000 fine for deficiencies in its Privacy Policy.<\/strong><br>In the case of Retsinnal Group, S.L.U., operator of the website www.inmo-master.com, the AEPD imposed a fine for breaching Article 13 of the GDPR due to deficiencies in its privacy policy. The policy failed to properly identify the data controller, as it did not include the company name, tax identification number (NIF), or the contact details required under the GDPR when personal data is collected through online forms.<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>As these cases demonstrate, five out of the six enforcement decisions relate to cookies and consent management, while the sixth concerns an incomplete or poorly drafted Privacy Policy. In short, these are compliance failures that can be avoided by implementing a robust data protection compliance strategy from the outset.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">A Cookie Banner That Complies with the Law<\/h3>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>One of the areas most heavily scrutinised by the AEPD in 2025 is the way websites obtain and manage users' consent for cookies. Simply displaying a cookie banner is no longer enough. The Agency requires consent mechanisms to be clear, informed, and granular. This means, among other things, that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Accepting and rejecting cookies must be equally easy.<\/li>\n\n\n\n<li>Users must be able to withdraw their consent at any time, using a process that is as simple as the one used to give it.<\/li>\n\n\n\n<li>Information must be provided on each category of cookies separately, rather than grouping them together.<\/li>\n\n\n\n<li>No non-essential cookies may be installed before the user's explicit consent has been obtained.<\/li>\n<\/ul>\n\n\n\n<p>The <strong>Wallapop <\/strong>case demonstrates that the AEPD is no longer focusing solely on whether consent has been obtained. It also scrutinises the effectiveness of the \"Reject All\" button and the ease with which users can withdraw their consent\u2014two aspects of interface design that have become key enforcement priorities.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Up-to-Date Privacy Policies and Legal Notices<\/h3>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Another recurring area of enforcement in the e-commerce sector concerns something as fundamental as correctly identifying the data controller and providing a complete and easily accessible Privacy Policy.<\/p>\n\n\n\n<p>In the <strong>Trueba Sport <\/strong>case, the company was fined for failing to identify the data controller and for not providing a link to its Privacy Policy. In the <strong>Inmo-master<\/strong> case, the fine was imposed because the Privacy Policy contained significant deficiencies.<\/p>\n\n\n\n<p>These enforcement decisions serve as a reminder that businesses must clearly inform users about who is processing their personal data, the purposes for which it is processed, the applicable data retention periods, and the rights available to them under data protection law.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2026 Compliance Checklist: <\/strong>What Every E-commerce Business Should Be Doing<\/h3>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The findings in the AEPD's Annual Report send a clear message: every e-commerce business is becoming increasingly likely to face a complaint\u2014whether from a customer, a competitor, or the Agency itself.<\/p>\n\n\n\n<p>Against this backdrop, ensuring that your e-commerce website complies with applicable regulations has never been more important. We therefore recommend that you:<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/8f7ef772-9e76-4fae-9b7a-2808a5cd1aac\" alt=\"desmarcada\"> Keep your legal documentation up to date, including your Privacy Policy, Legal Notice, and Terms of Use.<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/f5cea246-1830-4420-ac2e-b920a59cbbbe\" alt=\"desmarcada\"> Implement technical and organisational security measures that are appropriate to the risks associated with your data processing activities.<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/bba2cd82-8ebe-4dee-a1bf-4171139eb8ee\" alt=\"desmarcada\"> Carry out regular reviews of your website, including cookie audits and assessments of third-party tracking technologies.<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/8a88565a-6910-47aa-a58e-776f91da8fc4\" alt=\"desmarcada\"> Use a cookie banner that complies with current legislation and the latest guidance issued by the European Data Protection Board (EDPB).<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/e5fc3873-81f4-421d-88be-72eac1662c48\" alt=\"desmarcada\"> Ensure that user consent is valid, freely given, specific, informed, and unambiguous.<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/f0b5599e-802d-4268-bfd5-c04d2a4c6212\" alt=\"desmarcada\"> Comply with the accessibility requirements applicable to websites.<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/a2051b3a-0220-4efc-ad41-6ee2236c4feb\" alt=\"desmarcada\"> Implement a withdrawal (right of cancellation) button where required by law.<\/p>\n\n\n\n<p><img decoding=\"async\" width=\"17.599999999999998px\" height=\"17.599999999999998px\" src=\"blob:https:\/\/lawwwing.com\/d06fcbb2-1e83-4e88-96bd-fc178850e838\" alt=\"desmarcada\"> Comply with the transparency and labelling requirements of the AI Act where your processing activities involve artificial intelligence systems.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">How Lawwwing Can Help your ecommerce\u00a0<\/h2>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>At Lawwwing, we have spent years helping e-commerce businesses, SMEs, and large organisations bring their websites into line with data protection, cookie compliance, and digital regulatory requirements.<\/p>\n\n\n\n<p>Our software enables you to configure a fully compliant cookie banner and generate key legal documents for your website, including your Privacy Policy, Legal Notice, and Terms of Use.<\/p>\n\n\n\n<p>Don't wait until you receive a notification from the AEPD before taking the data protection compliance of your e-commerce website seriously. The figures published for 2025 clearly show that digital regulatory compliance is no longer optional\u2014it is a key factor in protecting your business's reputation, reducing legal risk, and ensuring its long-term success.<\/p>\n\n\n\n<p>\ud83d\udc49 Get in touch with the Lawwwing team today and discover how we can help safeguard your e-commerce business against AEPD enforcement and regulatory fines.<\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-full is-style-default\"><img decoding=\"async\" width=\"471\" height=\"310\" src=\"https:\/\/lawwwing.com\/wp-content\/uploads\/2026\/07\/image-1.png\" alt=\"\" class=\"wp-image-12212\" srcset=\"https:\/\/lawwwing.com\/wp-content\/uploads\/2026\/07\/image-1.png 471w, https:\/\/lawwwing.com\/wp-content\/uploads\/2026\/07\/image-1-300x197.png 300w\" sizes=\"(max-width: 471px) 100vw, 471px\" \/><\/figure>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<\/div><\/div>\n\n\n\n<p>\u2b07\ufe0fDownload our free <a href=\"https:\/\/app-na1.hubspotdocuments.com\/documents\/47863072\/view\/1712795261?accessId=517ae7\">infographic<\/a> summarizing the AEPD's 2025 sanctions and keep the checklist handy to avoid fines in 2026.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Spanish Data Protection Agency (AEPD) has made it clear that regulatory compliance on the internet must be one of companies' top priorities. The publication of its Annual Report confirms a trend that has been strengthening for years: complaints continue to rise, inspections are becoming more frequent, and non-compliance on websites and e-commerce platforms remains [&hellip;]<\/p>\n","protected":false},"author":22,"featured_media":12226,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[364,203,216,213,215,214,344,210,481,578,436,243,629,211,579,328,502,508],"tags":[370,758,409,363,427,403,799,800,509],"class_list":["post-12223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-2025-3","category-compliance-en","category-consent","category-cookies-en","category-cookies-banner","category-cookies-policy-en","category-cookies-web-en","category-data-protection","category-ecommerce-2","category-fine","category-fines","category-online-privacy-en","category-penalty","category-privacy-policy-en","category-spain-2","category-terms-and-conditions-en","category-web","category-website","tag-aepd","tag-compliance","tag-cookie-banner","tag-cookies","tag-data-protection","tag-fines","tag-legal-text","tag-penalties","tag-website"],"acf":[],"_links":{"self":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/12223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/comments?post=12223"}],"version-history":[{"count":2,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/12223\/revisions"}],"predecessor-version":[{"id":12229,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/12223\/revisions\/12229"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/media\/12226"}],"wp:attachment":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/media?parent=12223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/categories?post=12223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/tags?post=12223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}