Your website has 4 pages that could cost you dearly. Have they ever been reviewed?

Introduction

There are four pages on almost every corporate website that nobody reviews seriously: the legal notice, the privacy policy, the cookie policy and the consent configuration. They are published at the end of the project, left in the footer and rarely touched again. In many companies, the decision-maker has never even reviewed them. They have been copied from another site, come from a template or generated with an automatic tool without checking whether they reflect what the site actually does.

The problem is that they are not filler. In 2024, the Spanish Data Protection Agency (AEPD) imposed 281 fines totalling €35,592,200. The number of sanctions dropped compared to 2023, but the total amount rose by 19%. This is not a theoretical threat reserved for big tech: it is an active, stable and increasingly technical enforcement framework.

Most of the time the risk does not come from some exotic major infringement. It comes from something much simpler: a form that sends data to third parties without the policy explaining it, a banner that promises rejection but blocks nothing, analytics installed before the user consents, or a legal notice that misidentifies the actual site owner.

The problem is not "having legal texts". The problem is that they match the actual website.

A website can have its legal pages published and still be non-compliant. In fact, that is the most common case. The text says only technical cookies are used; the implementation loads analytics and third-party scripts from the first visit. The text says data is not shared with third parties; the form triggers emails, CRM, maps, fonts or external services that do involve processing. The text says the user can refuse; the visual layer suggests it, but the code blocks nothing.

That gap between what the website declares and what it actually does is where the risk appears. Because liability is not measured by the provider's good intentions, but by the technical reality of the site and the company's ability to justify what it is doing with its users' data.

Legal notice: not a formality, it is mandatory identification

The legal notice is not there to "provide peace of mind". It exists to correctly identify the service provider. Article 10 of the LSSI requires the website to provide permanent, easy, direct and free access to information such as the name or corporate name, address, email, registry data, tax ID and, where applicable, information specific to regulated activities or professions.

This matters far more than it seems. In business groups, commercial brands or multi-entity websites, one of the most common failures is that the site markets, captures leads or represents several entities, but the legal notice identifies only one — confusingly or incompletely. At that point we are no longer talking about style or wording: we are talking about legal traceability.

Privacy policy: the document that almost never reflects the reality of data processing

The privacy policy should not be a generic text about "how we protect your data". It should be a precise description of what happens on that specific website. Article 13 of the GDPR requires informing users of, among other things, the identity and contact details of the controller, the purposes of processing, its legal basis, the recipients or categories of recipients, retention periods and the data subject's rights.

The real problem is that many websites do have this document, but it does not describe what actually happens. It does not explain what occurs when a user fills in a form. It does not mention whether data passes to an email manager, a CRM, a commercial tool, an analytics provider or third-party services involved in processing.

Cookies: where most websites fail, even though they think it is sorted

The most sensitive part of almost any corporate website is cookie and consent management. The LSSI requires informing and obtaining consent for the use of storage and data retrieval devices on terminal equipment when they are not exempt cookies. And the AEPD's guidance is very clear on points that continue to fail massively: mere inactivity does not count as consent, and the option to refuse must be offered on the same layer, at the same level and with the same visibility as the option to accept.

This is not an aesthetic issue. A nice-looking banner is not enough. If the reject button is hidden, requires more clicks, sends users to another layer, or if rejecting still loads non-essential scripts, the implementation is wrong even if it visually appears "compliant".

The typical failure: the text promises one thing and the code executes another

This is the most common pattern:

• The policy says there are only technical cookies, but the header or tag manager loads analytics from the first visit.
• The policy says data is not shared with third parties, but the form sends information to external services or integrates with undocumented commercial tools.
• The banner says you can refuse, but refusing only closes the interface while scripts keep firing.
• The company believes European hosting solves the problem, but has not reviewed what happens with the CRM, CDN, fonts, maps, embedded videos or external providers connected to the site.

This is where a web project stops being just design and development. Because real compliance is not resolved by writing a nice text in the footer. It is resolved by reviewing the actual behaviour of the site.

What a company should demand from whoever builds its website

A company should not settle for "we have added the legal notice and the banner". It should demand a serious technical review of the implementation.

That means, at minimum, identifying which scripts load on the first visit, which cookies are installed before consent, which third parties participate in forms, which external services receive data, which events fire from the tag manager, which embedded content generates processing, and whether the consent layer actually blocks what it claims to block.

The drafting comes after. But first comes the real technical map. Because if the map is wrong, the texts will be too.

What is changing in Europe: less regulatory fragmentation, not less enforcement

For years, the European debate on cookies and electronic privacy has been stalled around the ePrivacy Regulation. The Commission announced in its 2025 work programme the intention to withdraw it, and according to the European Parliament's legislative tracking, the withdrawal was approved in July 2025 and officially announced in October 2025. Then, on 19 November 2025, the Commission presented the Digital Omnibus, a proposal seeking to simplify various digital regulations that includes changes on cookies and GDPR.

The key point here is this: it is a proposal, not an already applicable regulation. But it sets the direction. The text proposes introducing a new Article 88a in the GDPR to regulate the storage of or access to personal data on terminal equipment, maintaining consent as the general rule with certain lawfulness grounds without consent for specific cases, and requiring easy and understandable refusal via a single button or equivalent means when processing is based on consent.

Translated into business terms: even if the framework changes, nobody should interpret this as a relaxation. The reasonable approach is the opposite: review old implementations, simplify what is unnecessary, and stop relying on banners that "look correct" but would not withstand serious scrutiny.

And there is another layer coming: AI

If a website incorporates chatbots, assistants, commercial automations or AI systems connected to personal data, the scenario becomes more complex. The AI Act entered into force on 1 August 2024 and will be fully applicable on 2 August 2026, with exceptions: some obligations have applied since February 2025, GPAI model obligations since August 2025, and certain high-risk systems integrated into regulated products have a transition until August 2027.

Furthermore, the AEPD itself has flagged AI, data spaces and neurodata among its priority challenges. Not because every website will process neurodata tomorrow, but because the regulatory direction is clear: more focus on emerging technologies, more supervision and more attention to the real impact on people's rights.

Conclusion

A website's legal pages are not an appendix. They are part of its real architecture. And when they are wrong, they fail not only legally but also technically, reputationally and operationally.

A website can capture leads and still be exposed. It can look impeccable while loading tools prematurely, poorly documenting its processing or promising rejection options that do not work. That is the most common problem: not the total absence of texts, but the distance between what the texts say and what the website executes.

The right question is not whether your company "has a privacy policy" or "has a cookie banner". The right question is different: