In this post we will analyze a recent resolution of the Spanish Data Protection Agency (AEPD) about a company sanctioned for non-compliance with the Cookie Guide (published in July 2020) on its website.

The Spanish Data Protection Agency (AEPD) performs a first study of the website

1. “Reject cookies” button

The Cookie Banner did not offer the possibility of “Reject cookies” that were not technical or necessary.

On top of this, the design of the links was found to be misleading to the user.

The “Manage cookies” option button in the Control Panel used a link design (highlighted or underlined text), while the “Accept all cookies” button used a clear design with boxed square text.

Additionally, different colors and contrasts were used for the different options offered.

2. Removal of Consent

The complainant stated that the accused company did not facilitate the removal of consent, unlike the “Give consent” option. This option was offered in a much simpler way.

It also added that once consent was given after clicking on the “Accept all Cookies” or “Accept any group of Cookies” button through the Control Panel, there was no option to withdraw consent if you wished to do so at a later date.

 

The Spanish Data Protection Agency (AEPD) performed a second study of the operation of cookies and consent of the website dated March 16, 2023. It observed the following:

  1. Inexistence of a mechanism or access to the Control Panel that would allow the subsequent withdrawal of the consent given. The user was not offered, in the event of a change of mind, the option to deny the consent given.
  2. Impossibility of rejecting cookies that had been previously accepted.
  3. Lack of sufficient information in the first layer about the purpose of installing cookies.

In case of wanting to reject the use of cookies by clicking on the “Reject all” option or by moving the course from the “ON” position to the “OFF” position of the different groups of cookies, and clicking on “Confirm my preferences”, the website continued using the third-party cookies installed when they were accepted at the beginning.

The Spanish Data Protection Agency (AEPD) performs a new study of the website on June 6, 2023.

On June 6, 2023, the Spanish Data Protection Agency carried out a new study of the website. It was in response to the allegations made by the complained entity.

1. Use of technical or necessary cookies

When accessing the website for the first time, and without giving consent, it was observed that only technical or necessary cookies were used.

With regard to the cookies banner, this is displayed as soon as you access the website for the first time, which offers the possibility to “Configure cookies”. The groups of cookies are pre-marked in the “OFF” option.

If you wish to click on “Confirm my preferences” without having changed any of the boxes from the “OFF” to the “ON” position, or by clicking on the “Reject all” option with the intention of rejecting cookies that are not technical or necessary, the website continues using the same cookies as those detected at the beginning.

2. Withdrawal of consent

The website offered the option to refuse the use of cookies by clicking on the “refuse all” option or by moving the course from the “ON” position to the “OFF” position of the different groups of cookies, and clicking on “confirm my preferences”.

By taking this route, it is apparent that the website was NO longer using the cookies that were consented to, and only used  the technical or necessary cookies detected at the beginning.

Compliance of the Respondent Entity with the Cookie Usage Guidelines

1. Cookie information banner

The cookie banner on the Respondent entity’s website as of March 16, 2023 was as follows:

“By clicking “Accept all cookies”, you agree that cookies are stored on your device to improve site navigation, analyze site usage, and assist our studies for marketing. “Cookie Policy”.

It is considered, therefore, that the text contained in the Cookies Banner is in accordance with the provisions of Article 22.2 of the Law of Services of the Information Society.

This is so because it includes a generic identification of the purposes of the cookies to be used.

2. Removal of the consent for the use of cookies once it has been given

After the allegations to the proposed resolution, the Spanish Data Protection Agency carried out a third check of the website in question. They detected the following:

Once consent has been granted for the use of cookies that are not technical or necessary, if you wish to remove the consent given, the website no longer uses the cookies that were allowed, returning to use only the technical or necessary cookies detected at the beginning, disappearing third-party cookies.

In this sense, despite the fact that the person responsible for the website modified the cookies policy adapting it to the current regulations, it does not exclude the non-compliance proven in the first check of the website by the Spanish Data Protection Agency (AEPD).

Company sanctioned for non-compliance with the Cookie Guide of July 2020.

Article 22.2 of the Law on Information Society Services states that the user’s consent must be given after providing clear and complete information on the purposes of the processing of their data.

The infringement of this provision is classified as “minor” and may incur a fine of up to €30,000.

In the case in hand, and after an assessment of the above factors, a fine of €5,000 was imposed.

 

Auratech Legal Solutions can access our post on the Update of the Guide on the Use of Cookies.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *