Excerpt
Iweb Internet Learning, S.L. was fined by the Spanish Data Protection Agency for failing to identify the data controller, not allowing separate consent for each purpose, and providing insufficient information on the use of cookies.
Our analysis
The AEPD initiated a sanction procedure against the defendant after receiving a complaint from Neptunos Formación, S.L., which highlighted the absence of any information on the identity of the defendant on their website. The AEPD investigated whether the defendant had complied with the applicable laws, specifically whether the privacy policy provided information on the data controller and whether the website offered a choice for users to provide specific and separate consent for each purpose. However, this information was not readily available on the website. Furthermore, the website did not include any banner or information on the use of cookies. The AEPD found the defendant in potential violation of Article 13 GDPR, Article 7 GDPR, and Article 22(2) LSSI due to their bundling of information and hidden presentation of key details.
Outcome
The AEPD found that the defendant had violated Article 13 GDPR, Article 7 GDPR, and Article 22(2) LSSI by not identifying the data controller, not providing a separate consent option for each purpose, and not providing sufficient information on the use of cookies. The AEPD determined that, due to aggravating circumstances such as the defendant's intentionality and the length of time the violations occurred, a fine of €13,000 would be imposed if the sanction procedure was successful. However, the AEPD offered the defendant the opportunity to settle the matter by voluntarily paying part of the fine and acknowledging its liability before a final decision was made. The defendant agreed, and the AEPD closed the sanction procedure.
Parties
Neptunos Formación, S.L. and Iweb Internet Learning, S.L.
Case number
PS/00234/2020
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.