Jurisdiction ยท COUNTRY ยท ES
๐ช๐ธ Spain
EU member state. AEPD aligned with EDPB baseline; published practical cookie guidance. Local act: LOPDGDD.
What a typical site must do
| Requirement | Value | Confidence | Reviewed |
|---|---|---|---|
| analytics_exempt_cookieless | yes | high | 2026-05-04 |
| banner_required | yes | high | 2026-05-04 |
| breach_notification_hours | 72 | high | 2026-05-04 |
| consent_mode_v2_relevant | yes | medium | 2026-05-04 |
| consent_model | opt_in | high | 2026-05-04 |
| cookie_policy_required | yes | high | 2026-05-04 |
| dpf_transfers_acceptable | conditional | medium | 2026-05-04 |
| dpo_required | yes_large_scale | high | 2026-05-04 |
| dsr_response_days | 30 | high | 2026-05-04 |
| enforcement_strictness | moderate | high | 2026-05-04 |
| iab_tcf_required | recommended | medium | 2026-05-04 |
| language_required | spanish | high | 2026-05-04 |
| pre_consent_pings_allowed | no | medium | 2026-05-04 |
| privacy_policy_required | yes | high | 2026-05-04 |
| reject_layer1 | yes_required | high | 2026-05-04 |
| ropa_required | yes_250+ | high | 2026-05-04 |
Editorial notes
Tool compliance matrix
Default-config verdict per analytics/CMP tool against this jurisdiction.
| Vendor | Status | Rationale |
|---|---|---|
| Addingwell | green | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. |
| Cookiebot | green | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent โ verify your manual scripts also gate. |
| Fathom | green | Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII). |
| Iubenda | green | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. |
| Klaro | green | Open-source, self-hosted. No managed updates โ site owner maintains vendor list. |
| Matomo (self-hosted) | green | Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config. |
| Matomo Cloud | green | EU-hosted with cookieless mode available. With cookies disabled qualifies for ยง25(2) exception in Germany. |
| OneTrust | green | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch โ verify per-region defaults. |
| Pirsch | green | German-hosted, cookieless, GDPR-aligned by design. |
| Plausible | green | EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required. |
| Stape | green | EU server containers handle the routing โ but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. |
| Umami | green | Open-source, cookieless, fully self-hostable. Default-green when self-hosted. |
| Usercentrics | green | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
| Adobe Analytics | yellow | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. |
| Amplitude | yellow | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. |
| Google Analytics 4 | yellow | Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green. |
| Google Tag Manager | yellow | Container only โ verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended. |
| Mixpanel | yellow | EU residency available on paid plans; default cloud is US. Identifies users by default โ needs config. |
| PostHog | yellow | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. |
| Server-side GTM (Google Cloud) | yellow | "EU server" โ EU data โ clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
| FullStory | red | Full session capture โ highest-risk category. Explicit consent + DPIA + strict retention. |
| Heap | red | Auto-capture grabs every click and form value โ broad PII risk under GDPR Art 5(1)(c) data minimization. |
| Hotjar | red | Session replay โ high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent. |
| LinkedIn Insight Tag | red | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. |
| Meta Pixel | red | Schrems II concerns persist; advanced matching hashes PII but does not fix EUโUS transfer problem. |
| Microsoft Clarity | red | Session replay + Microsoft tracking. DPIA + explicit consent required. |
| TikTok Pixel | red | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |