Excerpt
The Spanish DPA fined a online genealogy platform for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.
Our analysis
A Spanish consumers and users organization filed a complaint against MyHeritage, an online genealogy platform, with the Spanish DPA (AEPD), citing deficiencies in information and consent related to cookies, doubts about the processing of data for commercial purposes, deficiencies in information about processing activities, and issues with the privacy policy not clearly specifying that users should only send their own genetic material. The AEPD found that the website placed unnecessary cookies before asking for consent, and that the information provided in the banner and privacy policy was insufficient, violating GDPR Article 13 and Spanish LSSI Article 22(2).
Outcome
The AEPD imposed a fine of €16,000 (reduced from €20,000 due to early payment) on the website controller for violating Article 22(2) LSSI by placing unnecessary cookies and not providing sufficient information about them in the banner and cookies policy.
Parties
Organization of Consumers and Users and My Heritage, Ltd
Case number
PS/00475/2021
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.