GDPR Analytics in Spain: 7 Questions Online Stores Actually Ask
A Spanish online store sits between two costs: AEPD enforcement if the cookies are wrong, and losing a third to half of its data if the banner is right. These are the seven questions operators ask — answered directly, one at a time.
Each answer below is self-contained — the format is deliberate, because these are the literal questions store owners type into a search box or an AI assistant. For the full legal reasoning behind the short answers, the companion piece is our GDPR & ePrivacy legal assessment; for the Spain-specific criteria in depth, see GDPR analytics in Spain — the AEPD guide explained.
1. Does my online store need a cookie banner for analytics?
No — not if the analytics tool sets no cookies and processes no personal data. A banner is legally required only when measurement stores something on the device (a cookie, localStorage) or processes personal data such as an IP address. The AEPD's cookie guidance exempts anonymous, aggregate audience measurement with no cross-site tracking. With cookieless analytics like SealMetrics, no banner is required for measurement; if you also run marketing cookies, those still need consent on their own.
2. What does the AEPD say about analytics cookies?
Spain's AEPD (cookie guidance, updated 2024) treats analytics cookies as requiring prior consent, with one practical exemption: tools performing anonymous, aggregate audience measurement — no cross-site data, no visitor identification — may operate without consent. Rejecting must be as easy as accepting, and cookie walls are not valid. The legal basis sits in Article 22.2 of the LSSI-CE, Spain's implementation of the ePrivacy Directive.
3. Is Google Analytics 4 legal in Spain?
Yes, with consent. GA4 sets cookies and processes personal data (client ID, IP-derived location), so it requires a banner and prior consent under the LSSI-CE and GDPR. The practical consequence: 35-55% of visitors reject the banner, and after ad blockers and browser restrictions GA4 ends up showing roughly 13% of real EU traffic. Legal with consent, yes; complete, no.
4. Which GDPR-compliant analytics can a small business use?
It depends on what the data decides. For a small site with no ad spend, a lightweight privacy-first tool (Plausible, Fathom, Umami — from around €9/month) is compliant and sufficient. Once you invest in campaigns and allocate budget on the data — typically from a few thousand euros a month in ads — the 35-55% of traffic a banner-gated tool loses costs more than the analytics: that is where a cookieless platform with revenue attribution like SealMetrics (from €599/month) pays for itself.
5. Can I measure conversions and campaigns without cookies?
Yes. Cookieless measurement counts events anonymously and in aggregate — visits, conversions, revenue by channel and campaign — without storing anything on the device or identifying the visitor. Attribution is computed last-click on 100% of traffic. What it does not do, by design: reconstruct an individual user's journey or run multi-touch attribution, both of which require personal identifiers.
6. What are the fines for using analytics cookies without consent in Spain?
Cookie infringements are sanctioned under the LSSI-CE: minor infringements up to €30,000, serious ones from €30,001 to €150,000. The AEPD enforces these regularly, and not only against large companies — the most common triggers are banners with no real reject option, cookies set before consent, and cookie walls. If unlawful personal-data processing is also involved, GDPR sanctions apply on top, with far higher ceilings.
7. How much traffic do I lose if my analytics depends on a banner?
Between 35% and 55% of EU visitors reject the banner, ad blockers affect over 40% of users, and browsers restrict cookies — the combined effect leaves GA4 showing roughly 13% of real EU traffic. For an online store that means campaign attribution and conversion rates computed on a fraction of reality. You can quantify your own case with the SealMetrics data-loss calculator.
The pattern behind the seven answers
Every answer reduces to the same two-part test: does the tool store anything on the visitor's device, and does it process personal data? Fail either and you need a banner — with the 35-55% data loss it brings. Pass both, as anonymous aggregate measurement does under the AEPD guidance, and no banner is required for analytics. If you want to audit your current stack against every requirement — not just the Spanish ones — run through the regulatory gap analysis, and quantify what the banner is costing you with the data-loss calculator.
General information about Spanish and EU data-protection rules as applied to web analytics, not legal advice. Confirm your specific setup with your DPO or counsel.
Related reading
Go deeper
- GDPR analytics in Spain — AEPD criteria in depth
The full AEPD cookies-guide walkthrough with the architectural exemption.
- Consentless analytics — the legal framework
GDPR Art. 6, ePrivacy Art. 5(3), and six EU authorities aligned.
- Regulatory gap analysis
Audit your stack requirement by requirement — GDPR, ePrivacy, AEPD, UK PECR.
