Excerpt
The Spanish DPA imposed a fine on an adult content website for violating data protection regulations. The website was penalised for using cookies without providing adequate information about their nature and purposes, as well as for having an outdated privacy policy that did not comply with the GDPR.
Our analysis
The Spanish DPA (AEPD) investigated Ramona Films S.L. (previously Kalandrakas Films S.L.), owner of https://www.putalocura.com, a website featuring adult and pornographic content, for potential processing of personal data and profiling of individuals under 14. The website had a warning about the adult content and advised minors to leave the site, but the AEPD discovered that the site used Forced Action by not providing an option to reject non-essential cookies or a second layer to select specific cookies. Additionally, when accessing the site, non-essential cookies were used without prior consent, and there was hidden information about the nature and identity of the cookies. The AEPD determined that the site's cookie policy violated the Spanish Law of Information Society Services (LSSI), which requires complete information on cookie use and data processing purposes and GDPR compliance when cookies identify users. The AEPD also found that the website's privacy policy referred to outdated data protection laws, demonstrating hidden information and inadequate data protection information, violating Article 13 GDPR.
Outcome
After finding Lia's Clothes (an online clothes store) in violation of Article 22.2 of the Spanish Law of Information Society Services and Article 13 of the GDPR, the AEPD issued a fine of €10,000. However, because the controller paid the fine within the given timeframe and without objection, the fine was reduced to €8000. The AEPD also ordered the controller to revise its privacy and cookie policy to comply with GDPR regulations.
Parties
Ramona Films S.L. and Spanish Agency for Protection of Data
Case number
PS/00483/2021
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.