Excerpt
The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.
Our analysis
The case reported the violation of several data protection laws by two websites of a controller. The AEPD received a complaint indicating that both websites lacked a privacy and cookies policy, or any other kind of information regarding the data that they process. The investigation conducted by the AEPD revealed that one of the websites had a privacy and cookies policy, but both websites gathered consent from the user in a generic way, with no option to specify the processing they wanted to consent to. The AEPD found that the website placed unnecessary third-party cookies on the user's device without consent. The cookie banner only provided generic information and did not have a button to reject the cookies in its first layer. An option to reject cookies was included in the banner during the proceeding. In the second layer, the user could reject unnecessary cookies. However, the authority found that, even when exercising this option, the cookies were still used.
The AEPD held that the cookie banner of the website violated Article 22(2) of the Spanish Information Society Services Act (LSSI), which implements the e-Privacy Directive, as it did not properly inform the user that the website used third-party cookies with marketing purposes that would create a profile based on the user's navigation behaviour to show them advertisements related to their preferences. It also violated Article 22(2) by not allowing users to reject such cookies, using them without consent, even when the user had deactivated the option. Furthermore, during the investigation, the controller deleted the second website, which lacked a privacy and cookies policy, redirecting the user to the first website when using its domain. The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose the specific processing they wanted to consent to. The case involved several deceptive patterns, including forced action and hidden information. The websites gathered consent from users in a generic way, without allowing them to choose specific processing. The cookie banner provided only generic information, with no button to reject the cookies in the first layer. The controller also used unnecessary third-party cookies without consent, even when the user had exercised the option to reject them.
Outcome
The AEPD has issued a set of decisions against a controller for several violations of GDPR and LSSI. The controller was warned for gathering consent in a generic way, fined €3000 for installing third-party cookies without consent, and warned for not having a privacy policy on their second website. Additionally, the controller was ordered to adapt their website's "cookies policy," including necessary information in the cookie banner and preventing the use of unnecessary cookies until the user has provided consent.
Parties
Sub Directorate General for Data Inspection and Flexografica Del Mediterraneo, S.L.
Case number
PS/00388/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.