Cookie Consent and Analytics in Spain: What Spanish Website Owners Need to Know in 2026

Spain's data protection authority has issued more GDPR fines than every other EU country. Over a thousand of them. And 72% landed on small businesses and freelancers. If you run a website in Spain and your cookie banner is wrong, the AEPD is not going to give you a warning email. They are going to give you a bill.

Spain's privacy DNA

Spain knows what surveillance costs. For 36 years, Franco's Brigada Politico-Social ran a surveillance apparatus that reached into every corner of Spanish society. The secret police, trained by Nazi SS officer Paul Winzer stationed in Spain, embedded informants in universities, factories, and churches. The regime encouraged ordinary citizens to act as informants, fostering paranoia and self-censorship across communities. The Ministry of the Interior archives still hold approximately 100,000 political files from that era.

When democracy arrived, Spain wrote privacy into its constitution. Article 18.4 of the 1978 Constitution states: "The law shall restrict the use of data processing in order to guarantee the honour and personal and family privacy of citizens and the full exercise of their rights." In 1978, that was remarkably prescient. The Constitutional Court later interpreted this as an autonomous fundamental right, separate from privacy itself, giving citizens active powers to control their personal information.

Then came the case that changed European privacy law forever. In 1998, a Spanish newspaper published a notice about a forced property sale due to social security debts belonging to Mario Costeja Gonzalez. The debt was resolved. But when La Vanguardia digitized its archive in 2008, Googling his name surfaced the old notice as if it were current. He complained to the AEPD. Google refused to remove it. The AEPD sided with Costeja. Google appealed. The case reached the Court of Justice of the European Union.

On May 13, 2014, the CJEU ruled that search engines are data controllers, that individuals can request removal of links to information that is "inadequate, irrelevant or no longer relevant," and that privacy generally overrides the economic interests of the search engine. Google received 12,000 delisting requests on the first day its form went live. The ruling became GDPR Article 17: the right to erasure. Spain did not just adopt European privacy law. It created it.

Costeja himself later tried to use the right to be forgotten again, requesting Google delist links to blog posts about the original case. The AEPD denied the appeal, ruling that the case's significance made the details a matter of public interest. The man who created the right to be forgotten became the proof that it has limits.

The AEPD: Europe's busiest enforcer

The AEPD (Agencia Espanola de Proteccion de Datos) has approximately 250 staff and a EUR 19 million budget. That is less than France's CNIL (EUR 28 million) or Ireland's DPC (EUR 26 million). It issues more fines than both combined.

Lorenzo Cotino Hueso, a constitutional law professor from the University of Valencia with 200+ published articles on privacy, became president in March 2025. He stated plainly in his first major interview: "Our country stands out among the 27 EU members because it imposes the most sanctions."

The numbers back him up. Since GDPR took effect, the AEPD has issued over 900 individual fines totaling approximately EUR 137 million. In FY2024: 281 fines worth EUR 35.6 million, a 19.4% increase over the previous year. In FY2025: 299 fines worth EUR 40 million. In 2022, Spain issued 40% of all GDPR fines across the entire EEA. More than Italy, Romania, and Germany combined.

The AEPD also builds things. It provides seven free compliance tools: Facilita (SME compliance in 20 minutes), Gestiona (processing activity management), Comunica-Brecha and Asesora Brecha (breach notification assessment), Evalua-Riesgo (DPIA necessity), ValidaCripto (encryption validation), and Facilita Emprende (startups). No other EU DPA offers this breadth of free tooling. The Canal Prioritario provides emergency removal of non-consensual intimate images, available 24/7, winning an award at the Global Privacy Assembly. Spain does not just punish violations. It builds the infrastructure to prevent them.

The legal framework: LSSI meets LOPDGDD

Spain's cookie law runs on two tracks. The LSSI-CE (Ley 34/2002) is Spain's e-commerce and information society law, originally enacted in 2002. Article 22.2, amended by Royal Decree-Law 13/2012, requires prior informed consent before storing or accessing data on a user's device. This is Spain's transposition of the ePrivacy Directive.

The LOPDGDD (Organic Law 3/2018) implements the GDPR and goes further. Title X establishes a "Digital Bill of Rights" unique to Spain: the right to digital disconnection from work (employers cannot require after-hours communications), digital wills (heirs can access or delete a deceased person's data), net neutrality, digital education, and workplace surveillance limits. No other EU country has codified this breadth of digital rights into its GDPR implementation.

The penalty structure is layered. Cookie violations under LSSI Article 22.2 carry fines up to EUR 30,000 for minor infractions, EUR 150,000 for serious infractions, and EUR 600,000 for very serious infractions. If the cookie violation also constitutes a GDPR breach (processing personal data without a legal basis), GDPR fines up to EUR 20 million or 4% of global turnover apply on top.

Spain also has a unique fine reduction mechanism. Controllers can receive a 20% discount for acknowledging liability and an additional 20% for voluntary payment before the final resolution. This partly explains why so many published fines show reduced amounts (Vueling's EUR 30,000 became EUR 18,000, SEAT's EUR 20,000 became EUR 12,000). It also explains the AEPD's efficiency: the system incentivizes fast resolution.

Cookie consent: what's required and what's exempt

The AEPD's cookie guide, updated July 2023 and enforced since January 11, 2024, requires a two-layer consent system. The first layer (the banner) must display the publisher's identity, cookie purposes, and three distinct options: Accept, Reject, and Settings. Accept and Reject must have identical visual prominence: same size, color, contrast, and placement. No dark patterns. No pre-checked boxes. No "continue browsing equals consent."

This was a significant shift. Before July 2023, the AEPD accepted banners with only "Accept" and "Configure" buttons. The update aligned Spain with EDPB Guidelines 03/2022 on deceptive design patterns. A CHI 2025 academic study of 10,000 websites per country found that Spain now has the highest cookie banner compliance rate in the EU at 28% (vs. 19% in Germany, 23% in France, 9% in the Netherlands). That number is still low, but it means Spain is moving in the right direction faster than its peers.

Here is what makes Spain different from Germany and Belgium. In January 2024, the AEPD published a separate audience measurement cookies guide that creates an exemption from consent for analytics cookies meeting strict conditions.

This puts Spain in the same camp as France, where the CNIL has offered a similar exemption since 2020. It places Spain in direct contrast to Germany (where the Bundestag explicitly rejected an analytics exemption) and Belgium (where the APD said no to seven industry associations). Standard Google Analytics does not qualify because data goes to Google's servers, can be cross-referenced, and enables cross-site tracking. Privacy-first analytics tools that are first-party, aggregated, and never share data with third parties can qualify.

Google Analytics in Spain: two cases, opposite outcomes

The AEPD is the only major EU DPA that took opposite positions on two Google Analytics cases. Both originated from NOYB's 101 coordinated complaints filed after the Schrems II ruling.

Case 1: The Royal Spanish Academy (December 2022). The AEPD dismissed the complaint, finding no GDPR violation. The RAE had used only basic GA features (aggregated data, no IP address access, no attempt to re-identify users) and had discontinued use after Schrems II. The AEPD became the first EU DPA to reject a NOYB complaint. Hogan Lovells Madrid described it as "an important precedent, opening the door to the use of Google Analytics by Spanish entities."

Case 2: eDreams (July 2023). The AEPD found a violation. eDreams used Google Analytics 360 actively with personally identifiable data (logged-in users, IP addresses, cookies) and continued transferring data to Google's US servers without adequate safeguards. The AEPD ordered eDreams to cease all international data transfers via Google Analytics until GDPR compliance was established. No monetary fine was imposed.

The EU-US Data Privacy Framework (July 2023) now provides a legal basis for GA4's US data transfers. But the DPF does not solve the consent problem. You still need consent under LSSI Article 22 before setting any analytics cookies. And GA4 does not qualify for the AEPD's analytics exemption because it shares data with Google and enables cross-site tracking. A Telefonica Tech study found that 46% of major Spanish websites load Google Analytics cookies before obtaining consent. That is a compliance problem waiting to become a fine.

Notable enforcement actions

The AEPD's largest fines target systemic violations, not cookie banners. But the cookie fines tell a story about how enforcement actually reaches small businesses.

The AEPD received 21,590 complaints in 2023, an all-time record and a 43% increase over 2022. Advertising complaints more than doubled year over year. Data breach notifications surged 46% in 2024 to 2,933. The trend is acceleration. Former director Mar Espana Marti said it directly: "There is no anonymity on the internet. The Agency will have zero tolerance."

How much traffic are you actually losing?

Spain is a mobile-first market: 52.65% of web traffic comes from phones. Chrome dominates at 71.54%, followed by Safari at 15.66% (23.69% on mobile). Firefox holds 2.74%, Edge 4.31%.

SealMetrics data breaks down what happens at Spanish cookie banners: 25% of visitors accept, 30% explicitly reject, and 45% ignore the banner entirely. Total data loss for cookie-based analytics: 75%.

That matches the broader pattern. Didomi's 2025 benchmark reports an 84% "consent rate" for Spain, but that only counts users who actually interact with the banner. Among all visitors including those who ghost, Didomi reports Southern European consent rates of 82.5%, with "no-choice" rates of 21-27% dragging the effective opt-in rate well below that. Layer in ad blockers (over half of Spanish users self-report using them at least occasionally) and Safari's ITP (which caps JavaScript cookies to 7 days for 23.69% of mobile traffic), and the picture gets worse.

Spain has one of the largest digital economies in the EU, an EUR 95.2 billion e-commerce market growing at 13.1% annually, and 3.3 million active businesses. If you run a Spanish e-commerce site using cookie-based analytics, you are making pricing, inventory, and marketing decisions based on one quarter of your actual customers.

The cookieless path: analytics without consent in Spain

Spain's AEPD analytics exemption describes exactly the kind of tool that privacy-first analytics provides. But there is an even simpler approach: avoid cookies entirely.

The LSSI Article 22.2 consent requirement triggers when information is stored on or accessed from a user's device. Server-side processing of HTTP request data (IP address, user agent, referrer, requested path) does not constitute device access because that data is sent automatically by the browser as part of the request. Where minimal sessionStorage is used for session continuity (tab-lifetime, auto-clears on close), the ePrivacy Directive explicitly contemplates exempting storage strictly necessary for the requested service.

Clickport takes this approach. No cookies, no fingerprinting, no cross-site tracking. Sessions use tab-scoped sessionStorage that auto-clears on close. Your Spanish visitors see no consent banner, your analytics capture traffic that cookie-based tools miss entirely, and the AEPD fine surface that hits 72% of small businesses shrinks dramatically. All data stays on EU servers. No US transfers. No DPF dependency.

The EU's Digital Omnibus proposal would create an EU-wide analytics exemption similar to what France and Spain already offer. But adoption is unlikely before 2027, and the new rules would need to take effect across all member states before Spain's existing LSSI framework is superseded. Cookieless analytics works today.

What this means for your Spanish website

Spain has 2.1 million .es domains, 81.8% of enterprises with websites, and the most aggressive privacy enforcer in Europe. Here is what you need to know:

If you use cookie-based analytics (GA4, Matomo with cookies, etc.): You need LSSI-compliant consent with an equal-prominence reject button before setting any cookies. GA4 does not qualify for the AEPD's analytics exemption. Expect to lose 70-80% of your traffic data. A resort hotel was fined EUR 3,000 for analytics cookies without consent. Techpump Solutions was fined EUR 90,000 for cookies that persisted after rejection.

If you qualify for the AEPD analytics exemption: First-party analytics with no cross-site tracking, no data sharing, 13-month cookie lifespan, and 25-month data retention. You still need to inform users via your privacy policy. You still need GDPR-compliant data processing. But you do not need a consent banner for those specific cookies.

If you use cookieless, privacy-first analytics: No cookies, no fingerprinting, no cross-site tracking. No LSSI consent requirement. No banner needed. No data loss from consent rejection. No fine surface for cookie violations. This is the approach that eliminates the compliance question entirely.

Spain created the right to be forgotten, built one of the most aggressive privacy enforcement machines in Europe, and still manages to offer a pragmatic path for analytics. The AEPD fines more than any other DPA because it takes compliance seriously. It also builds free tools and publishes detailed guidance because it wants businesses to get it right. The simplest way to comply with Spanish privacy law is to not need consent in the first place.

Frequently asked questions

Is Google Analytics legal in Spain?

The AEPD has not banned Google Analytics. It dismissed one NOYB complaint (RAE) and upheld another (eDreams). GA4 requires valid consent under LSSI Article 22.2 before setting cookies. It does not qualify for the AEPD's analytics exemption because data goes to Google's servers and can be cross-referenced. Using GA4 without consent carries real legal risk, and 46% of Spanish websites currently violate this requirement.

Do analytics cookies require consent in Spain?

By default, yes. LSSI Article 22.2 requires consent for all non-essential cookies. However, since January 2024, the AEPD allows an exemption for audience measurement cookies that meet six strict conditions: first-party only, no cross-site tracking, no data sharing, no cross-referencing, 13-month cookie lifespan, and 25-month data retention. If your analytics tool meets all six, you do not need consent (but you must inform users).

What is the AEPD's analytics cookie exemption?

Published in January 2024 as a companion guide to the main cookie guidelines, it allows audience measurement without consent if the data is aggregated, first-party, not shared with third parties, not used for cross-site tracking, and retained for no more than 25 months. When using an external analytics provider, additional contractual safeguards are required. Standard Google Analytics does not qualify.

Can I use analytics without consent in Spain?

Yes, through two paths. First: qualify for the AEPD's analytics exemption (strict conditions, see above). Second: use analytics that do not store anything on the user's device. Server-side processing of HTTP request data falls outside LSSI Article 22 entirely. Cookieless analytics tools that avoid cookies, fingerprinting, and cross-site tracking operate without triggering the consent requirement.

How much can the AEPD fine for cookie violations?

Under LSSI Article 22.2, cookie violations are classified as minor infractions with fines up to EUR 30,000. Serious infractions carry fines up to EUR 150,000, and very serious infractions up to EUR 600,000. If the violation also breaches the GDPR (processing personal data without a legal basis), fines up to EUR 20 million or 4% of global turnover can apply. Recent examples: EUR 90,000 for cookies persisting after rejection, EUR 3,000 for analytics cookies without consent.

Does the Digital Omnibus Act affect Spain?

The EU's Digital Omnibus proposal would create an EU-wide analytics exemption for aggregated, first-party audience measurement. Spain is effectively already aligned through the AEPD's January 2024 exemption, so the practical impact would be minimal. The bigger change: Germany and Belgium, which currently have no comparable cookie-based analytics exemption, would be required to allow one. Adoption is unlikely before 2027. The new GDPR-integrated cookie rules would be directly applicable, superseding Spain's LSSI framework.

What is the LOPDGDD?

Spain's Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights. It implements the GDPR in Spain and adds a unique Title X establishing digital rights: the right to digital disconnection from work, digital wills, net neutrality, digital education, workplace surveillance limits, and internet access as a legal right. It also sets the age of consent for data processing at 14 (a pending bill would raise it to 16 in digital contexts).