🍪Consentio
Start free

Cookie fines in Spain: what the AEPD penalizes

Cookies are one of the most common grounds for fines in Spain. Here's what the AEPD watches for, what amounts the law provides and how to stay safe.

Who penalizes and on what legal basis

In Spain, cookie use is governed by the GDPR and the LSSI (Information Society Services Act). The Spanish Data Protection Agency (AEPD) is the competent authority and has published a Cookie Guide setting out the criteria it applies.

Conducts the AEPD penalizes

Amounts: what the law provides

The GDPR allows fines of up to €20 million or 4% of global annual turnover. Under the LSSI, improper cookie use is usually treated as a minor infringement (up to €30,000) or a serious one (€30,001 to €150,000) depending on the case. For an SMB, the practical risk is fines of thousands of euros plus reputational damage.

How to avoid a fine

This guide is informational and does not constitute legal advice. For your specific case, consult a professional.

Frequently asked questions

Can the AEPD fine me over the cookie banner?

Yes. The AEPD penalizes banners that load cookies before consent, that don't allow easy rejection or that use pre-ticked boxes, among other conducts.

How big are cookie fines in Spain?

It depends on the route and severity. The GDPR reaches up to €20M or 4% of turnover; under the LSSI, cookie infringements are usually minor (up to €30,000) or serious (€30,001 to €150,000).

Is a cookie notice enough?

No. Showing a notice but loading analytics or advertising anyway is not valid consent. You need real prior blocking and the ability to reject.

How do I prove I complied?

By keeping a record of consents (what was accepted, when and with which banner configuration). Consentio stores that record automatically.

More guides

Get your site compliant in 5 minutes

Set up your banner, copy the snippet and paste it. No card.

Create my free bannerSee live demo