In this post we will analyze a recent resolution of the Spanish Data Protection Agency (AEPD) about a company sanctioned for non-compliance with the Cookie Guide (published in July 2020) on its website.
In this article we will discuss...
The Spanish Data Protection Agency (AEPD) performs a first study of the website
1. “Reject cookies” button
The Cookie Banner did not offer the possibility of “Reject cookies” that were not technical or necessary.
On top of this, the design of the links was found to be misleading to the user.
The “Manage cookies” option button in the Control Panel used a link design (highlighted or underlined text), while the “Accept all cookies” button used a clear design with boxed square text.
Additionally, different colors and contrasts were used for the different options offered.
2. Removal of Consent
The complainant stated that the accused company did not facilitate the removal of consent, unlike the “Give consent” option. This option was offered in a much simpler way.
It also added that once consent was given after clicking on the “Accept all Cookies” or “Accept any group of Cookies” button through the Control Panel, there was no option to withdraw consent if you wished to do so at a later date.
The Spanish Data Protection Agency (AEPD) performed a second study of the operation of cookies and consent of the website dated March 16, 2023. It observed the following:
- Inexistence of a mechanism or access to the Control Panel that would allow the subsequent withdrawal of the consent given. The user was not offered, in the event of a change of mind, the option to deny the consent given.
- Impossibility of rejecting cookies that had been previously accepted.
- Lack of sufficient information in the first layer about the purpose of installing cookies.
The Spanish Data Protection Agency (AEPD) performs a new study of the website on June 6, 2023.
On June 6, 2023, the Spanish Data Protection Agency carried out a new study of the website. It was in response to the allegations made by the complained entity.
1. Use of technical or necessary cookies
When accessing the website for the first time, and without giving consent, it was observed that only technical or necessary cookies were used.
With regard to the cookies banner, this is displayed as soon as you access the website for the first time, which offers the possibility to “Configure cookies”. The groups of cookies are pre-marked in the “OFF” option.
If you wish to click on “Confirm my preferences” without having changed any of the boxes from the “OFF” to the “ON” position, or by clicking on the “Reject all” option with the intention of rejecting cookies that are not technical or necessary, the website continues using the same cookies as those detected at the beginning.
2. Withdrawal of consent
By taking this route, it is apparent that the website was NO longer using the cookies that were consented to, and only used the technical or necessary cookies detected at the beginning.
Compliance of the Respondent Entity with the Cookie Usage Guidelines
1. Cookie information banner
The cookie banner on the Respondent entity’s website as of March 16, 2023 was as follows:
It is considered, therefore, that the text contained in the Cookies Banner is in accordance with the provisions of Article 22.2 of the Law of Services of the Information Society.
This is so because it includes a generic identification of the purposes of the cookies to be used.
After the allegations to the proposed resolution, the Spanish Data Protection Agency carried out a third check of the website in question. They detected the following:
In this sense, despite the fact that the person responsible for the website modified the cookies policy adapting it to the current regulations, it does not exclude the non-compliance proven in the first check of the website by the Spanish Data Protection Agency (AEPD).
Company sanctioned for non-compliance with the Cookie Guide of July 2020.
Article 22.2 of the Law on Information Society Services states that the user’s consent must be given after providing clear and complete information on the purposes of the processing of their data.
The infringement of this provision is classified as “minor” and may incur a fine of up to €30,000.
In the case in hand, and after an assessment of the above factors, a fine of €5,000 was imposed.