Excerpt
The Spanish DPA (AEPD) fined Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) for publishing illegal recordings on its website and dropping Google Analytics cookies without user consent. Additionally, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.
Our analysis
The complainants raised concerns that illegal recordings of witness statements were being used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (JAVA). These recordings were obtained by a lawyer in a corruption case, and the complainants argued that the publication of these recordings on the website was an infringement of Article 6(1)(a) of the General Data Protection Regulation (GDPR), which states that personal data shall be processed lawfully, fairly, and in a transparent manner. Moreover, the Spanish Data Protection Agency (DPA) found that upon accessing JAVA's website, several Google Analytics cookies were dropped without the user's consent. The DPA also noted that the cookie banner displayed on the website lacked clarity and did not provide the user with an option to refuse all cookies. These actions were considered to be a violation of Article 22(2) of the Spanish national law on the Information Society and eCommerce (LSSI). The issue of concern in this case is whether publishing illegal recordings on a website constitutes an infringement of Article 6(1)(a) GDPR. The answer is yes, as the GDPR prohibits the processing of personal data obtained unlawfully. In this case, the recordings were obtained illegally, and therefore, publishing them on the website without the consent of the individuals recorded was a violation of the GDPR. Additionally, the placing of cookies without user consent and the lack of a "Refuse all" option on the cookie banner are violations of Article 22(2) LSSI. The lack of clarity in the cookie banner message further emphasises the use of deceptive patterns, forcing the user to take action, as users would assume that by continuing to use the website, they are giving their consent to the use of cookies.
Outcome
JAVA was fined €8000 by the Spanish DPA (AEPD) for violating Article 6(1)(a) and Article 22(2) of the Spanish national law on the Information Society and eCommerce (LSSI) related to their use of illegal recordings and unclear and insufficient cookie policy. The DPA found that the wording of the cookie banner lacked clarity and that Google Analytics cookies were being placed without user consent. Moreover, the absence of a "Refuse all" button in the cookie banner was also deemed a violation of LSSI. The fine of €5000 was imposed for publishing recordings obtained illegally, while an additional fine of €3000 was imposed for the violations related to the cookie policy.
Parties
D. A.A.A., and D. B.B.B. (Claimants) and Asociación de Víctimas por Arbitrariedades Judiciales (JAVA)
Case number
PS/00141/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.