Organization of Consumers and Users v. My Heritage, Ltd

The Spanish DPA fined a online genealogy platform for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.

A Spanish consumers and users organization filed a complaint against MyHeritage, an online genealogy platform, with the Spanish DPA (AEPD), citing deficiencies in information and consent related to cookies, doubts about the processing of data for commercial purposes, deficiencies in information about processing activities, and issues with the privacy policy not clearly specifying that users should only send their own genetic material. The AEPD found that the website placed unnecessary cookies before asking for consent, and that the information provided in the banner and privacy policy was insufficient, violating GDPR Article 13 and Spanish LSSI Article 22(2).

The AEPD imposed a fine of €16,000 (reduced from €20,000 due to early payment) on the website controller for violating Article 22(2) LSSI by placing unnecessary cookies and not providing sufficient information about them in the banner and cookies policy.

Organization of Consumers and Users and My Heritage, Ltd