A website or blog may be subject to data protection rules if it collects user information through forms, comments, newsletters, cookies, analytics, online stores, bookings or private areas. It may also need to comply with Spanish e-commerce rules when it provides information society services or sends commercial communications.

In this article we will discuss...
What a website or blog should review
- Privacy policy: it should explain who the controller is, what data is processed, the purpose, legal basis, recipients, retention period and rights.
- Legal notice: it identifies the website owner and provides the required information where applicable.
- Cookie policy: it informs about first-party and third-party cookies, purpose, duration and how to configure or reject them.
- Cookie banner: it should allow users to accept, reject and configure non-essential cookies clearly.
- Forms: each form should include basic privacy information and, where appropriate, an acceptance checkbox.
- Email marketing: commercial communications need a legal basis and an easy unsubscribe mechanism.
Can a website be fined?
Yes. A website can trigger complaints if it fails to inform properly, installs non-essential cookies without consent, collects data without a legal basis, sends advertising without proper grounds or fails to handle rights requests. The risk increases if the website collects health data, children’s data, user profiles or especially sensitive information.
Compliance checklist
- Review all forms: contact, quote request, comments, newsletter, registration or purchase.
- Check which cookies are installed before and after consent.
- Make sure accepting cookies is not easier than rejecting them.
- Update privacy policy, legal notice and cookie policy.
- Sign a processor agreement with hosting, email marketing, CRM or web providers if they process data.
- Include an unsubscribe mechanism in commercial communications.
- Document analytics, advertising tools and plugins used.
Cookies: a particularly sensitive point
The AEPD updated cookie criteria to reinforce users’ freedom of choice. Technical cookies may be used without consent, but analytics, advertising or non-essential personalisation cookies usually require prior and informed consent.
Recommended official sources
Conclusion
A legally well-maintained website builds trust and reduces risk. Copying generic texts is not enough: policies, forms and cookies must reflect what the website actually does.




Leave a Reply
Want to join the discussion?Feel free to contribute!