Cumplimiento normativo

LSSI & E-commerce Legal Compliance

An online store operating in Spain faces a demanding legal framework: the LSSI-CE, the GDPR, consumer protection regulations and, since 2024, the Digital Services Act (DSA). We put all the legal documents and digital-sales workflows in order so you can sell without the risk of fines.

Legal frameworkLSSI-CE · GDPR · DSA · RD Leg. 1/2007
ScopeOnline stores, marketplaces and websites with e-contracting
Delivery4–6 weeks from the initial audit

Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE) forms the legal foundation for any online business in Spain. It requires the service provider to identify themselves, disclose information before the contract is signed, record consent for commercial communications and manage cookie use correctly. Penalties can reach €600,000 in the most serious cases, and the Spanish Data Protection Agency (AEPD) combines LSSI sanctions with GDPR penalties when the breach also affects personal data.

Since 17 February 2024, the Digital Services Act (DSA) applies directly in all EU Member States, including Spain. For stores that operate as platforms or marketplaces, the obligations are broader: vetting third-party sellers, transparency in content moderation, access to out-of-court dispute resolution, and — for very large platforms (more than 45 million users in the EU) — independent annual audits. The CNMC is the supervisory authority in Spain and can impose fines of up to 6% of annual worldwide turnover.

Beyond the LSSI and the DSA, Spanish e-commerce must comply with Royal Legislative Decree 1/2007 (the consolidated Consumer Protection Act), which mandates a 14-day right of withdrawal, complete pre-contractual information and written order confirmation. Additionally, since 28 June 2025, Law 11/2023 requires new online stores to meet WCAG 2.1 AA accessibility standards — with a progressive roll-out for existing ones. Summum Consultoría combines regulatory review with documentary and technical implementation so your e-commerce operates with full legal certainty.

The LSSI & E-commerce Legal Compliance process.

The process · four stages
01

Legal website audit

We review the website and store as it currently stands: provider identification, published legal texts, purchase flow, data-capture forms, cookie banners and returns procedures. We produce a gap report with a risk level for each non-compliance detected.

02

Drafting legal documents

We draft or update the legal notice, privacy policy, cookie policy, general terms and conditions of sale and withdrawal forms. Each document reflects your store's actual activity and real data-processing operations.

03

Technical implementation and CMP configuration

We coordinate with your technical team or web agency to publish the texts correctly, configure the Consent Management Platform (CMP) in line with the AEPD's 2025 guidelines, and review the checkout flow to ensure it meets mandatory pre-contractual disclosure requirements.

04

Final verification and ongoing maintenance

We carry out a test purchase and a full walkthrough of the website to confirm that all texts are accessible, consents are captured correctly and the returns process complies with the 14-day deadline. We include an update protocol so your store remains compliant in the face of future regulatory changes.

What is included

What LSSI & E-commerce Legal Compliance includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Legal notice compliant with the LSSI

    Full provider identification, registration details, contact information, professional body where applicable and website terms of use.

  • Privacy policy and GDPR

    Document tailored to your actual processing activities: purchases, newsletters, contact forms, retargeting and the lawful basis for each purpose.

  • Cookie policy and CMP management

    Classification of all active cookies, banner configuration without dark patterns and consent records compliant with the AEPD 2025 guidelines.

  • General terms and conditions of sale

    Regulation of the purchase process, price, shipping costs, delivery timescales, 14-day right of withdrawal and statutory guarantees under RDL 1/2007.

  • DSA checklist for platforms

    Assessment of the applicable level of obligations based on platform type and volume, with a roadmap for compliance with the Digital Services Act requirements.

  • Complaints management protocol

    Internal procedure for handling withdrawal requests, consumer complaints and communications with the AEPD or CNMC in the event of a formal enquiry.

Frequently asked questions about LSSI & E-commerce Legal Compliance.

Is a legal notice mandatory for a small online store?

Yes. The LSSI-CE (Law 34/2002) requires any provider of information society services carrying out economic activity — regardless of size — to publish full identifying information. There is no turnover or traffic threshold that exempts a store from this obligation. The absence of a legal notice is a serious infringement punishable by fines of up to €150,000.

What does the Digital Services Act (DSA) change for my online store?

The DSA has applied directly since 17 February 2024. If your store only sells its own products, the new obligations are limited (essentially, advertising transparency and a complaints contact point). If you operate as a marketplace — selling products from third-party sellers — you must verify those sellers' identities, manage out-of-court dispute resolution and publish transparency reports. Very large platforms (more than 45 million users in the EU) face additional audit obligations.

What should a cookie banner look like in 2025 according to the AEPD?

The AEPD's current guidelines require the banner to display the accept and reject options for non-essential cookies at the first level with equal prominence. Hiding the reject button or using deceptive design patterns that hinder the user's decision is not permitted. The Consent Management Platform must also record and be able to demonstrate what each user consented to and when.

How many days does a customer have to return an online purchase?

Royal Legislative Decree 1/2007 (the consolidated Consumer and User Protection Act) establishes a right of withdrawal of 14 calendar days from receipt of the product or, for services, from the conclusion of the contract. If the seller fails to inform the customer of this right correctly, the period extends to 12 months.

What is the difference between the privacy policy and the general terms and conditions of sale?

They are documents with distinct legal bases. The privacy policy is a GDPR obligation: it informs users how their personal data is processed. The general terms and conditions of sale are the contract between seller and buyer: they govern price, delivery, warranties, returns and dispute resolution. Both documents are mandatory and must be accessible before the customer completes the purchase.