Does GDPR apply to small businesses in Spain?

Yes. GDPR applies to any business processing personal data of EU residents, regardless of size. In Spain, the AEPD has issued fines to individual autónomos and small businesses. The LOPD-GDD (Spain's GDPR implementation) adds additional requirements specific to Spain.

What makes a cookie banner GDPR compliant?

A compliant cookie banner must: offer equally prominent accept and reject options, have all non-essential cookies off by default, actually block cookies until consent is given, offer granular cookie category choices, and provide easy access to change preferences later. Simply showing 'we use cookies' with only an accept button is not compliant.

What is the difference between GDPR and LOPD in Spain?

GDPR is the EU-wide data protection regulation. LOPD-GDD is Spain's national implementation that adds Spain-specific provisions including rules about employee data, deceased persons' data, digital rights, and the requirement to inform users about their right to complain to the AEPD. For website compliance, meeting GDPR requirements plus Spain-specific additions covers both.

Do I need a legal notice (Aviso Legal) on my Spanish website?

Yes. Under Spain's LSSI law, every commercial website must display: business name and legal form, NIF/CIF number, registered address, contact email, and Registro Mercantil details if applicable. This is separate from the privacy policy and is a common requirement many international businesses operating in Spain miss.

GDPR Website Compliance Checklist: A Practical Guide for Spain

GDPR has been in effect since 2018, and I’m still amazed by how many websites get it wrong. Not big complicated violations, basic stuff. Cookie banners that don’t actually block cookies. Privacy policies copied from a US template. Contact forms that store data without telling anyone. “Consent” checkboxes that are pre-ticked.

If you have a website and serve anyone in Europe, which, if you’re reading this from Spain, you almost certainly do, GDPR compliance isn’t optional. And the fines aren’t theoretical anymore. The Spanish Data Protection Agency (AEPD) has been actively issuing fines to businesses of all sizes, including small businesses and individuals. In 2024 alone, the AEPD issued over 400 sanctions.

I’ve put together this practical checklist based on what I’ve seen auditing dozens of small business websites. No legal jargon, no 50-page documents, just the concrete things your website needs to have in place.

Before We Start: GDPR vs LOPD-GDD

If you’re operating in Spain, you’re subject to two overlapping data protection frameworks:

GDPR (General Data Protection Regulation): The EU-wide regulation. It applies to any business processing personal data of EU residents.

LOPD-GDD (Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales): Spain’s national implementation of GDPR. It adds some Spain-specific provisions on top of the GDPR framework, including rules about employee data, deceased persons’ data, and digital rights.

For your website, the practical requirements are almost identical. If you comply with GDPR best practices and add the Spain-specific elements I’ll mention, you’re covered on both fronts.

1. Cookie Consent (The Most Visible Issue)

This is where 80% of websites fail. Let me be blunt: a cookie banner that just says “We use cookies” with an “Accept” button is not compliant. It never was, but enforcement has gotten much stricter.

What you actually need:

Clear accept AND reject options. The reject option must be equally prominent, not hidden behind a “Manage preferences” link that requires three more clicks. The AEPD has specifically ruled on this.
No pre-ticked boxes. All non-essential cookies must be off by default. The user actively opts in, not opts out.
Cookies must actually be blocked until consent. This is the big one most sites get wrong. Your banner shows up, but Google Analytics, Facebook Pixel, and every other tracking script is already running before the user clicks anything. That’s a violation.
Granular choice. Users should be able to accept some cookie categories and reject others (e.g., accept analytics but reject marketing).
Easy withdrawal. Users must be able to change their cookie preferences at any time. Include a “Cookie Settings” link in your footer.
Cookie policy. A separate page (or section of your privacy policy) that lists every cookie your site uses, its purpose, and its duration.

Recommended tools: For WordPress, CookieYes, Complianz, or GDPR Cookie Consent by WebToffee are solid options. They integrate with popular analytics and advertising scripts to actually block them until consent is given. Avoid cheap solutions that just show a banner without actually controlling cookie behaviour.

2. Privacy Policy (Your Legal Foundation)

Every website needs a privacy policy. Here’s what yours must include under GDPR and LOPD-GDD:

Identity of the data controller: Your full business name, NIF/CIF, registered address, and contact details. For Spanish businesses, include your entry in the Registro Mercantil if applicable.
What data you collect: Be specific. “Personal information” is not specific enough. List the actual data: name, email, phone, IP address, browsing behaviour via cookies, etc.
Why you collect it (legal basis): For each type of data, state the legal basis. The main ones are: consent (for marketing emails), legitimate interest (for analytics), contractual necessity (for processing orders), and legal obligation (for invoicing/tax records).
How long you keep it: Data retention periods for each type of data. You can’t keep data forever “just in case.” Be specific: “Contact form submissions are retained for 12 months” or “Invoice data is retained for 5 years as required by Spanish tax law.”
Who you share it with: List third parties that process data on your behalf. Google Analytics, your email marketing provider, your hosting company, payment processors, all need to be mentioned.
International data transfers: If data leaves the EU (and it probably does, Google, Mailchimp, many US services), explain the legal mechanism that allows this (Standard Contractual Clauses, adequacy decisions, etc.).
User rights: Under GDPR, users have rights to access, rectify, delete, port, restrict, and object to their data processing. List these rights and explain how to exercise them.
AEPD complaint right: You must inform users they can file complaints with the Agencia Española de Protección de Datos (www.aepd.es). This is a Spain-specific requirement.

Important: Don’t copy someone else’s privacy policy. It needs to accurately reflect YOUR data processing activities. A privacy policy that doesn’t match your actual practices is worse than no privacy policy at all, it’s evidence of negligence.

3. Contact Forms and Data Collection

Every form on your website that collects personal data needs:

Explicit consent checkbox (unticked by default): Something like “I have read and accept the Privacy Policy” with a link to the privacy policy. This must be actively checked by the user.
Separate marketing consent: If you plan to use the email address for marketing (newsletters, promotions), that needs a separate checkbox. You cannot bundle marketing consent with the privacy policy acceptance.
First layer information: Under the LOPD-GDD’s “layered information” approach, you should provide basic data protection information right next to the form: who controls the data, the purpose, and a link to the full privacy policy.
Secure transmission: All forms must submit data over HTTPS. If your site still runs on HTTP, fix this immediately, it’s both a security issue and a GDPR issue.

This applies to contact forms, newsletter signup forms, booking forms, comment forms, anything that collects personal data.

4. Email Marketing Compliance

If you send marketing emails (newsletters, promotions, offers), these rules apply:

Double opt-in is recommended. While single opt-in is technically legal under GDPR if you can prove consent, double opt-in (user confirms via email) provides much stronger proof of consent. The AEPD looks favourably on this.
Every email needs an unsubscribe link. One click, immediate effect. No “it may take 10 business days” nonsense.
Keep records of consent. You need to be able to prove when and how each subscriber consented. Most email platforms (Mailchimp, Brevo, ActiveCampaign) track this automatically, make sure the feature is enabled.
LSSI requirements: Spain’s LSSI (Ley de Servicios de la Sociedad de la Información) additionally requires that commercial emails be clearly identified as such and include the sender’s identity.

5. Legal Notice (Aviso Legal)

This is a Spain-specific requirement under the LSSI that many international businesses operating in Spain miss. Your website must display:

Business name and legal form (e.g., S.L., S.A., autónomo)
NIF/CIF number
Registered address
Contact email
Registro Mercantil details (if applicable)
Professional regulatory body (if applicable, for lawyers, architects, doctors, etc.)

This can be a separate “Legal Notice” / “Aviso Legal” page or included in your footer and privacy policy. Most Spanish business websites have a dedicated page for this.

6. Third-Party Services Audit

Most GDPR issues on small business websites come from third-party services that were added without thinking about data implications. Do an audit of every external service your website connects to:

Google Analytics: Are you using GA4? Have you configured IP anonymisation? Have you signed Google’s Data Processing Agreement? Is analytics consent properly managed through your cookie banner?
Google Fonts: If your website loads fonts directly from Google’s servers, Google receives visitor IP addresses. Host fonts locally instead. (This was the subject of a landmark German ruling that resulted in fines.)
Social media embeds: YouTube videos, Instagram feeds, Facebook widgets, all send data to their respective platforms. Use privacy-enhanced embed modes where available (YouTube’s nocookie domain, for example).
Chat widgets: WhatsApp Business, Tawk.to, live chat, these all process data. Ensure they’re covered in your privacy policy.
Maps: Google Maps embeds send data to Google. Consider using static map images with a link to Google Maps instead, or load maps only after consent.

7. Data Security Basics

GDPR requires “appropriate technical measures” to protect personal data. For a small business website, this means:

HTTPS everywhere. Your entire site must run on HTTPS, not just the checkout or contact pages. Free SSL certificates from Let’s Encrypt make this easy.
Strong passwords and 2FA. Your WordPress admin, hosting panel, email accounts, all should have strong, unique passwords and two-factor authentication where available.
Regular updates. WordPress core, themes, and plugins should be kept updated. Security vulnerabilities in outdated software are a data protection risk.
Regular backups. If something goes wrong, you need to be able to restore data. This is part of your GDPR obligations.
Access control. Only give admin access to people who need it. Remove access when it’s no longer needed.

Good managed hosting handles most of these technical requirements for you, SSL, updates, backups, and security monitoring.

8. Data Breach Protocol

Under GDPR, if personal data is breached (hacked, accidentally exposed, stolen), you must:

Notify the AEPD within 72 hours of becoming aware of the breach
Notify affected individuals “without undue delay” if the breach poses a high risk to their rights
Document all breaches, even minor ones, in a breach register

You don’t need to have experienced a breach to comply, you need to have a plan in place for if it happens. Even a simple one-page document that outlines who does what and when is better than nothing.

The Compliance Checklist

Here’s your actionable checklist. Go through your website and tick these off:

Cookie banner with accept/reject options that actually blocks cookies until consent
Cookie policy listing all cookies, their purpose, and duration
Comprehensive privacy policy covering all GDPR and LOPD-GDD requirements
Legal notice (Aviso Legal) with all LSSI-required business information
Consent checkboxes on all forms (unticked by default)
Separate marketing consent checkbox where applicable
Double opt-in for email marketing
Unsubscribe link in all marketing emails
Google Fonts hosted locally (not loaded from Google servers)
Privacy-enhanced social media embeds
HTTPS on entire site
All third-party data processors listed in privacy policy
Data retention periods defined and documented
Data breach notification procedure in place
Cookie Settings link accessible from footer

If you’re missing more than three items on this list, your website has significant compliance gaps. The good news is that most of these are fixable in a day or two.

Common Mistakes I See Constantly

“We only use cookies to improve your experience. By continuing to browse, you consent.” This is not valid consent. Browsing is not consent. Users must actively opt in.

Copy-pasted privacy policies from other businesses. If your privacy policy mentions services you don’t use or fails to mention services you do use, it’s worse than useless.

Consent checkboxes pre-ticked by default. This is explicitly prohibited by GDPR. Pre-ticked = no consent.

“I’m too small for anyone to notice.” The AEPD has fined individual autónomos. Size doesn’t protect you.

Relying on a cookie banner plugin without configuring it. Installing a cookie consent plugin is step one. Configuring it to actually block scripts before consent is step two, and most people stop at step one.

Need Help Getting Compliant?

If all of this feels overwhelming, you’re not alone. GDPR compliance is one of those things that’s conceptually simple but practically fiddly. Every website is different, every business processes different data, and the details matter.

A website audit is the fastest way to identify your specific compliance gaps. And if you’re building a new website, getting compliance right from the start with proper web design is infinitely easier than retrofitting it later.

Have questions? Drop us a line at Fork IT Studio, we deal with this stuff every day.