Excerpt
The Spanish DPA (AEPD) imposed a fine on a radio station for not including a link to their cookie policy in the cookie banner and for placing non-essential cookies on user devices without obtaining prior consent.
Our analysis
The case in question involved a radio company that was accused of violating privacy laws by a data subject who alleged that it was impossible to reject cookies on their website. Upon accessing the website, users were greeted with a banner that informed them that cookies were being used, but no link to the actual cookie policy was provided. Users were also unable to access the cookie policy before accepting the cookies. Furthermore, the company was found to have installed non-strictly necessary cookies on users' devices before obtaining their consent. These included analytical cookies like "_cb", "_chartbeat2", "_ga", "_cb_svref", "_cb_ls", and "web_gid" that were used to track user behavior and collect data on website visits. The use of such cookies without the user's consent and without providing adequate information about their use was deemed a violation of Article 22(2) of the Act on Information Society Services and Electronic Commerce, which implements the e-Privacy Directive.
According to this law, service providers may only use data storage and retrieval devices on recipients' terminal equipment if they have given their consent after being provided with clear and complete information on their use, in particular on the purposes of data processing. In this case, the company was found to have violated this law in two ways. First, they installed unnecessary cookies before obtaining the user's consent, which is a clear violation of the law. Secondly, the company did not provide enough information about the processing of such cookies, as the users could not directly access the cookie policy. The cookie banner should have included a direct link to the policy or it should have been available in the second layer, as the user should have been able to access the information before providing consent. The company's actions were also found to involve deceptive patterns, which are design choices that are intentionally misleading or confusing to users. The company's decision to install cookies before obtaining consent and failure to provide clear and complete information about their use is an example of a forced action and hidden information, respectively.
Outcome
The AEPD found that the controller had breached Article 22(2) of the Act on Information Society Services and Electronic Commerce by failing to provide adequate information to users about the use of cookies and by placing unnecessary cookies without obtaining user consent. As a result, the controller was fined €2000, which was reduced by 40% to €1200 due to timely payment and admission of guilt.
Parties
D.A.A.A (Complainant) v. Radio Popular S.A.
Case number
PS-00118-2021
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.