Most SMEs running an online store have been selling for years without ever reviewing their legal foundations. The privacy notice was copied from another website back in 2019, the general terms and conditions do not cover the right of withdrawal updated by Royal Decree-Law 7/2021, and the cookie layer accepts everything without filtering. That scenario is the norm, not the exception. The question is not whether there are violations, but how many and how serious.
A legal ecommerce audit puts figures and priorities to that reality. It is not a bureaucratic formality: it is the starting point for selling with guarantees, avoiding sanctions from the Spanish Data Protection Agency (AEPD), the Directorate-General for Consumer Affairs or payment platforms, and protecting the customer relationship when something goes wrong.
Which regulations does a legal online store audit cover
Spanish ecommerce is subject to a regulatory landscape that has tightened considerably between 2021 and 2026. A thorough audit covers, at minimum, the following layers:
| Regulation | What it governs | Sanctioning body |
|---|---|---|
| LSSI-CE (Law 34/2002) | Provider identification, commercial communications, electronic contracting conditions | Secretary of State for Telecommunications |
| GDPR + LOPDGDD | Collection and processing of personal data of customers, subscribers and employees | AEPD (up to €20 M or 4% of global turnover) |
| Royal Decree-Law 7/2021 (amended TRLCU) | Consumer rights: 14-day withdrawal, warranties, pre-contractual information, digital goods | Autonomous communities and national Consumer Affairs |
| ePrivacy Regulation / Cookie Law | Consent for non-essential cookies, consent management platforms (CMP) | AEPD |
| DSA — Digital Services Act (EU 2022/2065) | Platform transparency, content moderation, traceability of professional sellers | CNMC / European Commission |
| Omnibus Directive (implemented in RDL 7/2021) | Price advertising in sales, verified reviews, penalties for misleading prices | Regional and national Consumer Affairs |
| Verifactu / B2B e-invoicing (Crea y Crece Act) | Obligation to issue electronic invoices to businesses and to invoice with anti-fraud software | AEAT (Spanish Tax Agency) |
None of these regulations is optional. The accumulation of layers is what makes the review complex and what justifies using a specialised legal compliance service for ecommerce rather than making do with a generic checklist downloaded from the internet.
What the audit involves, step by step
A legal ecommerce audit is not a superficial read-through of the legal texts published on the website. It is a technical and legal analysis combining document review, functional verification of the purchase flow, and comparison with current regulations. These are the usual blocks:
1. Identity and legal notice (LSSI art. 10)
The audit verifies that the legal notice includes: full registered name, tax ID, registered address, company registration details, email address and, where applicable, professional registration number or administrative authorisation. Many SMEs publish only their trade name and a phone number, which violates article 10 of the LSSI and can lead to fines of up to €30,000.
2. Privacy policy and legal basis for each processing activity
All data collection forms are audited (purchase, account creation, newsletter, contact, chat) and the privacy policy is checked to see whether it correctly informs users of: the purpose of processing, legal basis, retention period, any disclosures to third parties (payment gateway, email marketing platform, courier) and how to exercise data rights. A frequent error is using «legitimate interest» as the basis for sending advertising without having carried out the balancing test required by the GDPR.
3. Cookie consent management
The AEPD published its updated «Guide on the use of cookies» in 2023 and launched an inspection campaign targeting online stores in 2024. The audit checks whether the implemented CMP (Cookiebot, OneTrust, Axeptio or others) genuinely blocks non-essential cookies before consent is given, whether rejection is as simple as acceptance, and whether the banner does not use dark patterns to steer users toward «yes». The AEPD has issued warnings and fines to companies with annual turnover below €250,000 for this point alone.
4. General terms and conditions and the purchase process
The full checkout flow is reviewed: is the final price including VAT shown before payment? Does the confirmation button include the phrase «obligation to pay» or equivalent as required by the Consumer Rights Directive? Do the withdrawal conditions cover the 14 calendar days and the legal exceptions (digital content, personalised products, perishables)? Does the returns policy correctly state who bears the shipping costs? These points are a frequent source of complaints to the OCU and Facua consumer organisations.
5. Price transparency and discount advertising
The Omnibus Directive, in force in Spain since 2022, requires showing the lowest price of the past 30 days as a reference when advertising a discount. The audit checks the technical implementation of this requirement on the platform (WooCommerce, PrestaShop, Shopify) and reviews whether published reviews verify they come from confirmed buyers.
6. Security and breach notification
The audit checks whether the ecommerce has a documented procedure for detecting and notifying security breaches to the AEPD within the 72-hour deadline required by the GDPR. Contracts with hosting providers, payment gateways and marketing tools are also reviewed to confirm they include data processor clauses (GDPR art. 28).
How much does a legal ecommerce audit cost: indicative market ranges
The price of a legal online store audit varies according to the size of the store, the number of markets in which it operates, the complexity of the catalogue, and whether the provider delivers only the report or also executes the correction plans. The following indicative market ranges for Spain in 2025-2026 are based on publicly available offers from legal consultancies and firms specialising in digital law:
| Type of service | Indicative range (excl. VAT) | What it usually includes |
|---|---|---|
| Basic audit (report only) | €800 – €1,800 | Review of published legal texts, compliance checklist, gap report with severity levels |
| Full audit (report + action plan) | €1,800 – €3,500 | All of the above plus functional review of the purchase flow, live cookie analysis and prioritised roadmap |
| Audit + executed compliance | €3,500 – €7,000 | Drafting of all legal texts, CMP configuration, checkout review and support until all gaps are closed |
| Annual legal maintenance | €600 – €1,500/year | Updating texts when regulations change, bi-annual review, unlimited queries |
These prices are indicative market figures and do not constitute the rates of any specific provider. Factors that push the price upward include: operating in several EU countries (requiring jurisdiction-by-jurisdiction analysis), selling regulated products (food, cosmetics, medical devices, toys), processing data of minors, or needing an associated external DPO. Factors that reduce it include: single-brand store with no third-party marketplaces, standard catalogue with no regulated products, and SaaS platform with pre-configured legal modules (Shopify, for example, handles part of electronic invoicing natively in certain markets).
When the audit becomes urgent
There are moments when postponing the legal review ceases to be mere imprudence and becomes real risk. Experience accumulated since 2007 in regulatory compliance projects for SMEs points to five common triggers:
- Launching a new ecommerce. Starting to sell without correct legal texts creates a liability from day one. The first customer complaint or the first AEPD inspection arrive sooner than expected.
- Expanding into new European markets. Selling in France, Italy or Germany means complying with consumer information requirements in each country, in addition to the common GDPR. A legal notice designed only for Spain is not sufficient.
- Customer complaint or consumer affairs report. When a formal complaint arrives, the absence of correct general terms and conditions or proof of the customer's consent makes the defence far more costly.
- Change of technology platform. Migrating from PrestaShop to Shopify or from WooCommerce to Magento often resets privacy and cookie settings. It is the right moment to review and update the entire legal framework.
- Joining any marketplace programme. Amazon, El Corte Inglés Digital or Miravia require their sellers to comply with LSSI and GDPR. Non-compliance can result in account suspension.
The difference between compliance and audit: do not confuse them
The audit diagnoses the current state of compliance: what is missing, what is poorly worded, what processes lack documentary support. The compliance project executes the corrections: drafts the texts, configures the CMP, reviews the checkout and supports implementation. These are two distinct phases, although many providers offer them as a single project.
It is also important to distinguish between a legal audit and a technical security audit (penetration testing, vulnerability analysis). The former is carried out by a digital law specialist; the latter by a cybersecurity team. Both are advisable for a mature online store, but they answer different questions. If what you need is to reinforce the technology layer, the ecommerce legal compliance team can coordinate with the systems specialists for an integrated approach.
What the audit cannot replace
A one-off audit is a snapshot of legal status at a given moment. Ecommerce regulations change frequently: the Spanish transposition of the Digital Services Directive, the forthcoming ePrivacy Regulation that will replace cookie guidelines, or the Verifactu implementation deadlines for SMEs (1 January 2027 for companies and 1 July 2027 for self-employed persons and other taxpayers, per Royal Decree-Law 15/2025 and Royal Decree 238/2026) are changes that require ongoing review. That is why consultancies expert in digital law typically offer an annual legal maintenance service that updates texts with every regulatory development and ensures the store remains compliant without the business owner having to follow the Official Gazette week by week.
Frequently asked questions
Can I copy the legal texts from another website and adapt them?
Technically no one can stop you, but the risks are serious. Copied texts are usually out of date, do not reflect your actual activity (data processing activities, recipients, products sold) and may contain errors inherited from the original. If the AEPD opens an investigation, the inconsistency between published texts and actual processing activities aggravates the sanction. Custom-drafted texts are always the correct option.
What happens if the AEPD inspects me without a prior complaint?
The AEPD carries out ex-officio inspections, particularly in sectors that handle large volumes of personal data (ecommerce, insurance, telecommunications). In 2024 and 2025 it intensified its actions against mid-sized online stores. The usual procedure starts with an information request: if you cannot provide documentary evidence of compliance, a sanctioning file is opened. Fines for SMEs typically range between €5,000 and €50,000 for mid-level violations, although serious infringements (total absence of a legal basis for large-scale processing) can exceed that figure.
How long does a legal ecommerce audit take?
It depends on the scope. A basic diagnostic audit can be delivered in 5 to 10 business days. If it includes a full functional review of the checkout, live CMP analysis and comparison with external providers, the typical timeframe is 3 to 5 weeks. The compliance phase (text correction and implementation) usually adds a further 2 to 6 weeks depending on complexity.
Does the audit also cover the sales channel on social networks or marketplaces?
It depends on the contract. Many audits focus on the store's own website. If you sell through Instagram Shopping, TikTok Shop, Amazon or Miravia, you also need to review the conditions of each platform and how they align with your own legal texts. That is a different perimeter that should be specified before commissioning the service. The usual approach is to audit it as a separate module or in a second phase.