Abanca Corporación Bancaria was found to be using unnecessary cookies on its website without obtaining prior consent from users, leading to a fine by the Spanish Data Protection Agency (AEPD).
Excerpt
Our analysis
The case of Abanca's use of cookies without obtaining consent from the user raises concerns about compliance with privacy regulations. The AEPD received a complaint about the installation of cookies by Abanca without consent, specifically third-party cookies from Google and Weborama that were installed before the cookie banner appeared. The AEPD found that this constitutes a violation of the cookies regulation, which requires obtaining consent before installing non-necessary cookies. Furthermore, the AEPD discovered that Abanca did not properly identify the cookies that were placed before obtaining consent in their cookie information page. This lack of transparency regarding the use of cookies violates the principles of the GDPR, which require clear and concise information to be provided to data subjects. Abanca's actions may also be in violation of Article 22(2) LSSI, which implements the e-Privacy Directive. This regulation requires that users be informed about the use of cookies and be given the opportunity to reject their installation. By installing non-necessary cookies before obtaining consent, Abanca may be seen as engaging in deceptive patterns of forced action and hidden information, which undermines the principles of transparency and user choice.
Outcome
Abanca was fined €5,000 by the AEPD, which was later reduced to €3,000 as a result of the company acknowledging its responsibility and making an early payment. The AEPD also ordered Abanca to implement necessary modifications to their websites to ensure that cookies are not used without obtaining the user's consent.
Parties
D.A.A.A. (complainant) and Abanca Corporacion Bancaria, S.A.
Case number
PS/00024/2021
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.