The Spanish DPA found an online clothing store responsible for handling personal data without consent from the people involved, not having a privacy policy in place, and using unnecessary cookies without informing users properly through a cookie banner.
Excerpt
Our analysis
Lia's Clothes, an online clothes store, was found liable for not having an adequate privacy policy or cookie banner. Upon investigation, the Spanish DPA (AEPD) found that personal data was collected without informing the data subjects about the protection of their personal data or providing a link to a privacy policy. Additionally, non-essential cookies were used on the website without providing appropriate information through a banner or giving data subjects the option to reject them. The AEPD held that the online store violated Article 6(1) GDPR by processing personal data without clear, affirmative, informed, and free consent. Furthermore, by not having a privacy policy or disclosing who the controller of the personal data would be, the online store also violated Article 13 GDPR. Lastly, the use of non-essential cookies without a cookie banner violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which requires clear and complete information on the use of cookies and the option to reject them.
Outcome
The AEPD fined the owner of an online store €3000 for three violations of data protection laws. The owner voluntarily paid the fine and accepted responsibility, resulting in a reduced fine of €1800. Additionally, the AEPD ordered the owner to add a proper privacy policy and cookie banner to their website to comply with data protection laws.
Parties
Mrs. A.A.A., (Lia’s Clothing) and Zulmar Santamaria, S.L.
Case number
PS/00603/2021
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.