Excerpt
The Spanish DPA (AEPD) fined ASOCAPAC for insufficient information provided on the first layer of the cookie banner and the missing "refuse all cookies" option in the cookie policy on their website.
Our analysis
In the case of FACUA vs ASOCAPAC, FACUA filed a complaint against ASOCAPAC for their cookie banner on their website. The Spanish DPA (AEPD) conducted an investigation and found that the cookie banner did not provide clear and concise information, as it only stated that "This website uses its own and third party cookies to offer you a better experience and service." This lack of information undermines the transparency of the message. Furthermore, the Spanish DPA discovered that the cookie policy on ASOCAPAC's website did not provide information on the identification and the time that the cookies were active, although it did provide additional information on what cookies are and what first and third-party cookies are used for. The DPA also noted that there was no option to refuse all cookies. The Spanish DPA (AEPD) found that the lack of sufficient information on the first layer of the cookie banner, the absence of information about the type of cookie and the duration of their activity, as well as the lack of a "refuse all cookie" option, constituted a breach of Article 22(2) of the Spanish Law on Services of the Information Society and Electronic Commerce (LSSI). Therefore, the DPA imposed a warning sanction on ASOCAPAC and gave them one month to modify the cookie banner and introduce a new cookie policy.
Outcome
The AEPD found that ASOCAPAC violated Article 22(2) of the Spanish LSSI due to the insufficient information on their cookie banner, lack of information on cookie type and time of activity, and the absence of a “refuse all cookies” option. As a consequence, ASOCAPAC received a warning sanction from the AEPD and was given one month to modify their cookie banner and implement a new cookie policy.
Parties
FACUA - Asociación de Consumidores Usuarios en Acción and Asociación de Afectados por las Asociaciones de Consumidores
Case number
PS/00264/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.