Excerpt
The PREICO JURÍDICOS website was fined by the Spanish DPA for violating regulations regarding the use of cookies. The website was found to have used non-technical and non-necessary cookies without obtaining proper consent, failed to display an appropriate cookie banner, and provided insufficient information in its Cookies Policy.
Our analysis
A complaint was filed by an individual with the AEPD regarding the use of non-technical and non-necessary cookies without consent, the absence of an appropriate cookie banner, and the insufficient extent of information provided in the Cookies Policy. The AEPD recalled Article 22(2) LSSI, which mandates that website users be provided with clear and complete information on the use of storage devices, data recovery, and, in particular, on the purposes of data processing. This regulation also applies to cookies on websites, requiring the controller to explicitly obtain consent whenever non-necessary or non-technical cookies are used, such as through an "Accept" button. Users must be allowed to withdraw their consent at any time, as mandated by Article 7 GDPR. A cookie banner must inform users about the identity of the controller, the purposes of using specific types of cookies, the data collected, and the manner in which to accept, reject or adjust the use of cookies. Additionally, there must be a link to a page with more detailed information on the Cookies Policy. The use of "Cookie Walls," which block access to a website unless the user accepts the use of cookies, is prohibited. In the present case, the AEPD found that there was no cookie banner, no possibility to reject non-technical and non-necessary cookies, and no control panel to manage cookies which amounted to a deceptive pattern of forced action. The AEPD also investigated the compliance of the information provided in the Cookies Policy with Article 22(1) LSSI and concluded that the policy lacked crucial details such as the identity of the controller, the types of cookies used, their functionality, and their active time; which amounts to hidden information.
Outcome
The Spanish Data Protection Agency (AEPD) imposed a fine of €2,000 on a controller for violating Article 22(2) of the LSSI, which requires website operators to provide users with information about the use of cookies and obtain their consent before storing them. The fine was imposed due to the website's non-compliance with the Cookies Policy implemented on their website.
Parties
D.A.A.A (Complainant) and Preico Juridicos, S.L.
Case number
PS-00030-2022
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.