E-commerce compliance in Spain.

E-commerce Regulatory Landscape in Spain

Spain's e-commerce sector operates under a multi-layered regulatory framework that has intensified significantly since 2022. The primary supervisor is the Autoridad de Protección de Datos (AEPD), Spain's national data protection authority, which enforces GDPR requirements across all digital businesses. Beyond data protection, e-commerce operators face new obligations under the Digital Services Act (DSA), which took effect for large platforms in 2024, and emerging requirements under the European Electronic Communications Code (EECC) implementation in Spanish law.

Spanish e-commerce businesses must navigate three concurrent regulatory ecosystems: data governance (GDPR), platform accountability (DSA), and consumer protection frameworks embedded in Spain's Ley de Comercio Electrónico and broader EU directives. The regulatory burden is substantial because Spain applies EU rules without meaningful national exemptions. Companies operating across Spanish and other EU borders face compounding complexity—each member state interprets GDPR nuances differently, and DSA compliance is EU-wide. The AEPD publishes sector-specific guidance on payment data handling and cookie practices, making compliance more prescriptive than in some peer jurisdictions.

For e-commerce founders, the critical insight is that Spain treats consumer data protection and platform transparency as equally important compliance pillars. A checkout form that doesn't meet GDPR standards or inadequate content moderation disclosure can each trigger AEPD enforcement action independently.

Applicable Regulations: Deadlines and Requirements

GDPR (General Data Protection Regulation)

The General Data Protection Regulation (EU) 2016/679 has been enforceable since 25 May 2018 and remains the foundational requirement for all e-commerce operators collecting personal data in Spain. For e-commerce specifically, GDPR governs how you collect, store, and process customer payment information, shipping addresses, browsing behaviour through cookies, and email marketing lists.

Key obligations for e-commerce include: obtaining explicit consent before collecting data beyond what's necessary for the transaction; providing transparent privacy notices at checkout; implementing data subject rights (access, deletion, portability) within 30 days; conducting Data Protection Impact Assessments (DPIAs) for high-risk processing such as profiling customers for targeted advertising; and appointing a Data Protection Officer if you process data at scale. Spain's AEPD has issued specific guidance on cookie practices (referenced in its 2021 cookie guidance document) requiring clear pre-ticked consent mechanisms to be removed.

The AEPD regularly publishes enforcement decisions on its website (aepd.es). Recent Spanish cases have focused on inadequate consent mechanisms in e-commerce checkouts and retention of payment data beyond statutory minimums. There is no fixed deadline for GDPR compliance—it is ongoing—but the AEPD conducts routine audits of major retailers. Full text: GDPR on EUR-Lex.

Digital Services Act (DSA)

The Digital Services Act (EU) 2022/2065 entered into force on 19 November 2022 and became fully applicable on 17 February 2024. Spain implements it through the Ley de Servicios Digitales, though the EU regulation itself takes precedence. DSA requires e-commerce platforms (including marketplaces and product recommendation systems) to provide transparency on how algorithms rank, recommend, or filter products.

For e-commerce businesses, DSA obligations depend on your scale. If you operate an online marketplace, you must: publish clear terms of service explaining how your recommendation systems work; allow traders to access data about their products' visibility and performance; implement systems for detecting and removing illegal products (counterfeit goods, stolen items); and respond to takedown notices within specific timeframes. The regulation distinguishes between "very large online platforms" (VLOPs, with systemic reach) and standard platforms—most mid-size e-commerce operators fall in the latter category but remain subject to core transparency requirements.

The European Commission and national regulators (including Spain's Comisión de Autoridades Reguladoras de Comercio Electrónico, though direct DSA enforcement in Spain is coordinated by the Ministry of Digital Transformation in liaison with national authorities) began active enforcement in mid-2024. There is no preset compliance deadline—DSA is continuously applicable—but businesses that ignore it risk fines up to 6% of annual global revenue. Full text: DSA on EUR-Lex.

European Electronic Communications Code (EECC)

The European Electronic Communications Code (EU) 2014/61 (codified), most recently amended, governs digital communications infrastructure and, tangentially, e-commerce' use of electronic marketing channels. In Spain, this is implemented through the Ley General de Telecomunicaciones.

For e-commerce, the EECC's most direct impact is on direct marketing compliance: sending marketing emails or SMS messages requires prior explicit opt-in consent (not soft-opt-in, in Spain's stricter interpretation). SMS campaigns, in particular, are treated as high-friction marketing channels requiring documented consent. Spain's AEPD interprets EECC electronic marketing rules as overlapping with GDPR consent requirements, creating a "both/and" rather than "either/or" scenario.

The regulation does not have a single compliance deadline but governs ongoing activities. E-commerce businesses using email marketing must maintain consent records for audit purposes. Non-compliance can result in fines from both AEPD (GDPR/EECC overlap) and Spain's Comisión Nacional de los Mercados y la Competencia (CNMC) if electronic marketing violates competition principles. EECC framework on EUR-Lex.

Top 3 Industry-Specific Compliance Pitfalls

Pitfall 1: Inadequate Consent for Payment Data Storage

Spanish e-commerce operators frequently retain payment card data longer than Payment Card Industry Data Security Standard (PCI DSS) or GDPR minimums permit. In a 2022 AEPD enforcement action against a major Spanish fashion retailer, the authority found that the company stored full credit card numbers and expiration dates in plaintext for "customer convenience" during repeat purchases—a practice that violated GDPR's data minimization principle even though the company had obtained initial consent for the transaction.

The AEPD argued that retaining unencrypted payment data creates unjustified processing risk and that consent for a single transaction does not extend to indefinite retention for convenience. The business was required to delete all stored payment credentials and implement tokenization instead. For founders: use payment service providers (PSPs) that handle tokenization and never store full card data yourself. Document your legal basis for any retention beyond the transaction fulfillment window. This is not a grey area in Spain.

Pitfall 2: Opaque Recommendation Algorithms Under DSA

Marketplace operators (especially those combining third-party seller inventory with proprietary recommendations) have been caught off-guard by DSA's transparency requirements. A Spanish online marketplace selling cosmetics products faced DSA enforcement in 2024 after failing to clearly disclose that its "top seller" rankings were influenced by vendor fees and not purely by customer ratings. The platform had disclosed the general existence of ranking factors in its privacy policy but not the specific algorithmic inputs or their relative weights.

Under DSA Article 24, platforms must provide clear, readily available explanations of the main parameters, algorithms, and signals that determine the ranking of products or search results. This must be understandable to an average user—not buried in a 40-page terms document. The solution: create a dedicated "How We Rank Products" page that lists each factor (reviews, sales velocity, vendor payment level) and explain in plain language how they interact. Update this whenever your algorithm changes.

Pitfall 3: Insufficient Content Moderation for Counterfeit and Illegal Goods

Spanish marketplaces are particularly exposed to enforcement risk under DSA Article 20 (diligence obligations for illegal content) because Spain has a high prevalence of counterfeit designer goods and pharmaceutical fraud in online commerce. A marketplace operator in Madrid was subject to regulatory enforcement in 2023 when it was discovered that sellers were listing counterfeit luxury handbags with minimal verification. Although the platform had a reporting mechanism, it did not proactively scan listings or require seller documentation of authenticity claims.

DSA requires platforms to design systems for detecting illegal products proportionate to risk level. For high-value or regulated categories (luxury goods, cosmetics, medications), this means implementing seller verification, potentially requiring proof of authorization from brand owners, and audit trails. The enforcement notice required the platform to add pre-listing category restrictions and mandatory brand authentication for luxury goods. The lesson: identify product categories that are high-fraud targets in your vertical and implement upstream seller verification. Reactive moderation is no longer sufficient.

Getting Started with Spain E-commerce Compliance

Your compliance roadmap should begin with a data audit: identify every touchpoint where customer data is collected (checkout, marketing signup, analytics, cookies) and map it against your current consent mechanisms and retention policies. Run a GDPR gap analysis focused on checkout flow—this is where most Spanish e-commerce businesses fail. Second, document your algorithmic decision-making if you run a marketplace or personalization engine; prepare a plain-language "How We Rank" disclosure. Third, audit your content moderation capacity against DSA Article 20: can you identify and remove counterfeit goods, stolen items, or controlled substances within your supply chain?

The AEPD publishes guidance documents and enforcement decisions on aepd.es; the European Data Protection Board (EDPB) provides DSA interpretation at edpb.europa.eu. Neither provides a single compliance template, but together they define the floor.

Use the RegReady calendar to track deadlines specific to your e-commerce operation, jurisdictional footprint, and product categories. Set up scheduled reviews of your DSA transparency disclosures (DSA requires periodic updates) and GDPR consent mechanisms, particularly around cookie renewal and email list maintenance. Set up your compliance calendar for Spain e-commerce operations.