Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — ESStylized flag-color motif for editorial reference. Not an official symbol.ES
Spain Reino de España

WEB ANALYTICS · COOKIE COMPLIANCE · SOUTHERN EUROPE · ES

Spain — analytics & cookie compliance reference

AEPD aligned with EDPB baseline; published practical cookie guidance; Spanish-language privacy notices required (LOPDGDD).

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Spain. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

LOPDGDD  Stricter
Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales
Spanish national implementation of GDPR opening clauses + digital rights catalogue (Title X) + employee data + DPO + child consent age + sanctions regime. Adds the Spanish 'derechos digitales' framework (right to digital disconnection, neutrality, security at work, etc.).
  • Art 7 Child consent age — set at 14 (lower than GDPR's default 16)
  • Art 22 Video surveillance — public/employer use proportionality and signage requirements
  • Art 34 DPO — list of activities triggering mandatory designation beyond GDPR Art 37
  • Art 87–91 Employee digital rights — privacy in devices, geolocation, video surveillance, digital disconnection
  • Art 71–78 Sanctions — three-tier infraction regime (leves/graves/muy graves) with statute of limitations
BOE-A-2018-16673 — Ley Orgánica 3/2018 de 5 de diciembre
LSSI-CE  Stricter
Ley 34/2002, de Servicios de la Sociedad de la Información y de Comercio Electrónico
Information Society Services + cookies (Art 22.2 transposes ePrivacy Art 5(3)) + commercial communications opt-in regime. AEPD published the canonical 'Guía sobre el uso de las cookies' (latest update Jan 2024) interpreting Art 22.2.
  • Art 22.2 Cookies — informed prior consent for non-strictly-necessary storage/access on terminal equipment
  • Art 21 Email/SMS commercial communications — prior consent required (soft opt-in narrow)
  • Art 38 Sanctions — up to €600,000 for very serious infringements
BOE-A-2002-13758 — Ley 34/2002 de 11 de julio
Estatuto de los Trabajadores Art 20
Real Decreto Legislativo 2/2015 — Texto refundido del Estatuto de los Trabajadores
Employer monitoring of employees — Art 20.3 governs control measures (video surveillance, geolocation, device monitoring) with proportionality + prior information duties. Operates jointly with LOPDGDD Art 87–90 'derechos digitales en el ámbito laboral'.
  • Art 20.3 Employer monitoring — adequate, necessary and proportional measures with prior employee information
  • Art 20 bis Reference to LOPDGDD digital rights — privacy in devices, geolocation, video surveillance
BOE-A-2015-11430

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
AEPD · Agencia Española de Protección de Datos
National DPA for the entire private sector and central-government public bodies. Investigative + sanctioning powers; publishes binding guidance (Guías) and consultations.
https://www.aepd.es/

State / Land DPAs · 3 authorities

Land / stateAuthorityNote
Catalonia APDCAT Autoritat Catalana de Protecció de Dades — competent for Catalan public bodies and entities providing public services in Catalonia site ↗
Basque Country AVPD Datuak Babesteko Euskal Bulegoa — competent for Basque public administration site ↗
Andalusia CTPDA Consejo de Transparencia y Protección de Datos de Andalucía — competent for Andalusian public bodies (transparency + data protection) site ↗

Coordination body

Consejo Consultivo AEPD · Consejo Consultivo de la Agencia Española de Protección de Datos
Advisory body to AEPD on regulatory positions; coordinates with autonomous DPAs (APDCAT, AVPD, CTPDA) on cross-jurisdiction cases.
  • 2020-07-28 · Cookies guidance v2 — AEPD 'Guía sobre el uso de las cookies' — alignment with EDPB 5/2020; 'continue browsing' deemed insufficient as consent.
  • 2023-01-11 · Cookies guidance update — AEPD updated cookie guidance — explicit alignment with EDPB Cookie Banner Taskforce report (Jan 2023): equal-prominence reject button, no pre-ticked boxes, no deceptive design.
  • 2024-09 · Pay-or-OK / Consent-or-Pay — AEPD position aligned with EDPB Opinion 08/2024 — large platforms cannot rely solely on binary 'pay or accept' to obtain valid GDPR consent.
https://www.aepd.es/

Notable enforcement

Spain is consistently the EU member state with the highest *number* of GDPR sanctions, although individual fines tend to be smaller than the largest German, French or Irish cases. AEPD's enforcement profile is volume-driven and procedurally fast: many decisions concern banks (CaixaBank, BBVA), telecoms (Vodafone, Orange), retail/employment (Mercadona, Glovo) and standard cookie/transparency violations. Fines are frequently appealed to the Audiencia Nacional and reduced; AEPD adopted a voluntary-payment discount mechanism (up to 40 %) which closes a large share of cases without litigation.

  1. 2021-01 €6.0M
    CaixaBank AEPD · Art 6, 13, 14 stood

    Lawful basis and transparency failings around customer data processing for marketing and profiling. Largest Spanish GDPR fine at the time.

  2. 2020-12 €5.0M
    BBVA AEPD · Art 13, 14 stood

    AEPD sanction for transparency failings around how personal data is provided to the customer (PS/00070/2020). One of the largest AEPD fines on a Spanish bank to that date and a recurring reference for transparency expectations. (Verify procedural number against AEPD final resolution.)

  3. 2024-03 €4.5M
    Vodafone España AEPD · Art 5, 32 stood

    Security and onboarding controls — part of a multi-action enforcement run against Vodafone España totalling tens of millions of euros across several proceedings.

  4. 2021-07 €170k
    Mercadona AEPD · Art 5, 6, 9, 35 settled

    Facial-recognition deployment in supermarket stores without an adequate legal basis or DPIA. Originally proposed at a higher amount, settled at €170,000 with corrective measures.

GA4 status

GA4 is usable in Spain with prior, informed, granular consent under LSSI Art 22.2 (cookie layer) plus a valid GDPR Art 6 basis for the subsequent processing. AEPD aligns with the EDPB baseline rather than pursuing French- or Italian-style GA-specific enforcement; transfers to Google's US servers are accepted while Google LLC remains DPF-certified. Without consent, GA4 deployments are non-compliant under AEPD cookie guidance.

DPAStance
AEPDEDPB-baseline — explicit consent under LSSI Art 22.2 + DPF for US transfers; no GA-specific bans.
APDCATCatalonia — same baseline as AEPD; competent only for Catalan public-sector deployments.
AVPDBasque Country — aligned with AEPD; jurisdiction limited to Basque public administration.
CTPDAAndalusia — public-sector only; aligned with AEPD on private-sector analytics expectations.

Cross-border transfers + Schrems II

AEPD aligned with the EDPB baseline on international transfers. Post-DPF (10 Jul 2023) the AEPD accepts DPF-certified US importers as adequate while certification is live; for non-DPF recipients, Transfer Impact Assessments and supplementary measures remain expected. Compared with CNIL or Garante, AEPD's posture is moderate — it has not pursued GA4-specific transfer enforcement actions of the kind seen in France or Italy.

EU 2021/914 SCCs are the standard fallback for non-DPF transfers. AEPD has issued generic guidance (Listado de comprobaciones) but has not published Spain-specific addenda. Module 2 (controller-processor) onward-transfer clauses receive normal scrutiny without the heightened review applied by some northern EU DPAs.

Topic: International transfers

Employee data

Key thresholds

Child consent age
14 years
Article 27 representative
Required
Marketing consent
Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Spain vs France
COMPARE
Spain vs Italy
COMPARE
Spain vs Portugal

Common questions

Is Google Analytics legal in Spain in 2026?
Yes, conditionally. GA4 is usable in Spain with prior, informed, granular consent under LSSI Art 22.2 plus a valid GDPR Art 6 basis. After the EU-US DPF (10 Jul 2023) transfers to Google's US servers are lawful while Google LLC remains DPF-certified. AEPD aligns with the EDPB baseline rather than pursuing GA-specific bans of the kind seen at the CNIL or Garante, but without consent GA4 is non-compliant under AEPD cookie guidance.
How strict is AEPD compared with the CNIL or Garante?
AEPD's posture is moderate. It is the most active EU DPA by *number* of decisions but its substantive positions usually track the EDPB baseline. Unlike France's CNIL or Italy's Garante, AEPD has not issued Google Analytics or Mailchimp-style transfer bans; it has instead concentrated on cookie-banner enforcement, transparency, security, and employee/worker monitoring.
What does LOPDGDD add on top of GDPR?
LOPDGDD (Ley Orgánica 3/2018) fills GDPR opening clauses and adds Spain-specific rules: child consent at 14 (Art 7, lower than GDPR's default 16), employee 'derechos digitales' (Art 87–91 — privacy in devices, geolocation, video/audio surveillance, digital disconnection), DPO triggers (Art 34), and the three-tier sanctions regime with voluntary-payment discount (Art 71–78).
Are there autonomous-region DPAs in Spain?
Yes, but only for regional public-sector bodies. Catalonia (APDCAT), the Basque Country (AVPD) and Andalusia (CTPDA) have their own data protection authorities competent over regional public administrations and entities providing public services in those autonomous communities. The private sector everywhere in Spain — including in Catalonia, the Basque Country and Andalusia — is supervised exclusively by AEPD.
Must my privacy notice be in Spanish?
Yes for Spanish-targeted sites. AEPD expects privacy notices, cookie banners and consent flows to be available in Spanish (and, where relevant, the co-official languages — Catalan, Galician, Basque). English-only notices on a clearly Spain-targeted website are insufficient under LOPDGDD transparency expectations and LSSI's information duties.
What is the Spanish equivalent of France's Bloctel?
Lista Robinson, run by ADigital. It is a private opt-out registry for direct marketing — not a statutory list — but consulting it is treated by AEPD as part of the diligence expected before sending unsolicited commercial communications under LSSI Art 21 and LOPDGDD.
What is the child consent age in Spain?
14, under LOPDGDD Art 7. Spain used the GDPR Art 8 opening clause to lower the default age of digital consent from 16 to 14. Below 14, parental/guardian consent is required for information-society services offered directly to children.
Do I need a Spanish Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Spain (or any EEA state), unless the small-business exception in GDPR Art 27(2) applies. AEPD has pursued non-designation in cross-border investigations.
Does Schrems II still affect transfers from Spain post-DPF?
Yes for non-DPF transfers. AEPD accepts DPF-certified US importers as adequate while certification is live; for non-DPF US recipients (or other third countries), Transfer Impact Assessment and supplementary measures remain expected per Schrems II logic and EDPB Recommendations 01/2020.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Spain's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.