Excerpt
The Washpoint SL was fined by the Spanish DPA (AEPD) for two violations: first, the absence of a Privacy Policy on their website; and second, the absence of a reject button on the second layer of their Cookie Policy.
Our analysis
The case against The Washpoint SL involved a complaint filed by a claimant alleging that the company's website did not have a Privacy Notice or a Cookie Notice. Upon investigation, the Spanish DPA (AEPD) confirmed that there was indeed no link or document outlining the Privacy Policy on the website. This meant that there was no information available to users regarding the processing of their personal data. The DPA concluded that this lack of a Privacy Policy violated Article 13 of the GDPR. In addition to the Privacy Policy violation, the Spanish DPA also found that there was no mechanism to reject cookies in the second layer of the Cookie Policy. Instead, only information on how to configure browser settings in the user's terminal equipment was provided. The DPA held that this absence of a reject button on the second layer of the Cookie Policy violated Article 22(2) of the Spanish Law on services of the information society and electronic commerce (LSSI). The lack of a Privacy Policy and the absence of a reject button on the second layer of the Cookie Policy both involve deceptive patterns. In the case of the Privacy Policy, the information was hidden or not easily accessible, making it difficult for users to make informed decisions about the collection and processing of their personal data. In the case of the Cookie Policy, the absence of a reject button forces users to accept cookies without providing a clear alternative option. Both of these actions violate important privacy and data protection laws, and The Washpoint SL was fined €1000 for each violation, resulting in a total fine of €2000.
Outcome
The DPA imposed a fine of €2000 on The Washpoint SL for breaching Article 13 GDPR and Article 22(2) LSSI. A fine of €1000 was imposed for the lack of information or a privacy policy, and another €1000 fine was imposed for the lack of a reject button in the cookie banner.
Parties
D.A.A.A (Claimant) and Washpoint S.L.
Case number
PS/00268/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.