Excerpt
The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.
Our analysis
The case analysis involves a sanction procedure initiated by the Spanish Data Protection Authority (AEPD) against Eslora Proyectos, S.L. for failing to provide the necessary basic layer information to users regarding cookies loaded on their three websites. The defendant's response to the AEPD investigation requests included claims that they were performing data protection adaptation to GDPR, and they had limited resources. They also argued that due to a controversial CJEU judgement, they decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD. However, the AEPD found that the three websites loaded non-necessary cookies, including Facebook ones, without informing or obtaining user consent, and the basic layer was too vague and did not follow AEPD recommendations. Additionally, the second layer of the websites provided generic information on cookies but not specific information on which cookies would be installed or how long they would be installed. The AEPD understood that the defendant could have breached its information duties in relation to cookies under Article 22(2) of the LSSI. The defendant accepted the AEPD's cookie guide and installed the basic information layer, but it was still not compliant with the legislation. The AEPD offered the defendant the option to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts.
Outcome
The defendant in a sanction procedure was given the opportunity by the AEPD to settle the issue before the decision was made by agreeing to a voluntary payment of part of the fine with two possible discounts. The defendant agreed to both concepts, acknowledged their liability, and made an early voluntary payment of 6,000 €. As a result, the sanction procedure was closed by the AEPD.
Parties
D.A.A.A (Claimant) and Eslora Proyectos, S.L.
Case number
PS/00057/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.