The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.
Excerpt
Our analysis
Ms. A.A.A., the owner of a commercial website, was the subject of a complaint lodged by a data subject, Mr. B.B.B., who claimed that the website failed to comply with GDPR Article 6 and Article 13, along with Spanish national law Article 22.2 LSSI. The data subject highlighted three issues with the controller's website: the contact form, the Privacy Policy, and the Cookie Policy. Firstly, the contact form on the website did not provide the data subject with the option to consent to the processing of their personal data, including their name and email address. Secondly, the website's Privacy Policy failed to disclose all relevant information as required by GDPR Article 13, thus the controller did not fulfil their obligation to inform. This deceptive pattern of hidden information was seen as a lack of consent violating GDPR Article 6. Thirdly, the use of third-party cookies on the website was neither necessary nor functional, and the user was unable to reject these cookies, amounting to forced action.
Additionally, Google cookies were already in use even before the data subject actively and expressly gave their consent or took action on the website. The Cookie Policy did not provide detailed information about the cookies in use, such as the activity time, mission, or precise identification of the cookies. The processing of personal data without the consent of the data subject violated GDPR Article 6. Furthermore, the data subject was not informed about the use of cookies, and the controller did not offer the data subject the opportunity to reject them, thus violating Article 22.2 LSSI. The DPA further explained that the information provided to the user about the use of storage devices and data recovery, as well as the purposes of processing (including cookies), must be disclosed in accordance with GDPR provisions.
Outcome
The Spanish Data Protection Authority fined a controller €3,000 for processing personal data without consent, violating Article 6 GDPR and Article 13 GDPR for the Privacy Policy. The controller also violated Article 22(2) LSSI by using cookies without consent and failing to provide clear information on data processing purposes. The controller had to adapt the website to comply with GDPR requirements and paid a reduced fine of €1,800.
Parties
Mr. B.B.B (Data Subject) v. Ms. A.A.A (Owner of Commercial Website)
Case number
PS-00132-2022
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.