Excerpt
Miguel Ibáñez Bezanilla was fined by the Spanish DPA for multiple violations related to his website. These included the absence of a banner on cookies usage, insufficient information on the identity, features, and length of cookies, and the lack of an option to refuse them. The website was found to be technically unsafe, the privacy policy was not updated, and the provided cookie information was inadequate.
Our analysis
Miguel Ibáñez Bezanilla, S.L. was fined by the AEPD for violating various data protection regulations related to its website. The violations included the lack of safety measures for the website, the absence of data protection information and storage periods, and insufficient cookie information. The company's website required personal data such as name, surname, national ID, driving licence, chassis number, car number plate, and payment proof to make an order. However, the website did not offer a safe encryption protocol, making communication interception possible. The privacy policy was also outdated and referred to the former Spanish data protection law. Moreover, there was no banner on cookies usage, and the detailed part of the website referring to cookies did not provide information on identity, features or length, nor any option to refuse them. The defendant did not respond to AEPD's requirements, and the agency initiated a sanction procedure. The AEPD found that the defendant had violated Article 32 GDPR, Article 13 GDPR, and Article 22 LSSI due to the use of deceptive patterns such as hidden information and forced actions to conceal information and breach legal obligations.
Outcome
The defendant was ordered by AEPD to rectify all the website violations within one month of the decision and also received a fine of € 3000.
Parties
D.A.A.A (complainant) and Miguel Ibáñez Bezanilla
Case number
PS/00185/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.