D.A.A.A (Complainant) v. Radio Popular S.A.

€1200 in fines


The Spanish DPA (AEPD) imposed a fine on a radio station for not including a link to their cookie policy in the cookie banner and for placing non-essential cookies on user devices without obtaining prior consent.

Our analysis

The case in question involved a radio company that was accused of violating privacy laws by a data subject who alleged that it was impossible to reject cookies on their website. Upon accessing the website, users were greeted with a banner that informed them that cookies were being used, but no link to the actual cookie policy was provided. Users were also unable to access the cookie policy before accepting the cookies. Furthermore, the company was found to have installed non-strictly necessary cookies on users' devices before obtaining their consent. These included analytical cookies like "_cb", "_chartbeat2", "_ga", "_cb_svref", "_cb_ls", and "web_gid" that were used to track user behavior and collect data on website visits. The use of such cookies without the user's consent and without providing adequate information about their use was deemed a violation of Article 22(2) of the Act on Information Society Services and Electronic Commerce, which implements the e-Privacy Directive. 
According to this law, service providers may only use data storage and retrieval devices on recipients' terminal equipment if they have given their consent after being provided with clear and complete information on their use, in particular on the purposes of data processing. In this case, the company was found to have violated this law in two ways. First, they installed unnecessary cookies before obtaining the user's consent, which is a clear violation of the law. Secondly, the company did not provide enough information about the processing of such cookies, as the users could not directly access the cookie policy. The cookie banner should have included a direct link to the policy or it should have been available in the second layer, as the user should have been able to access the information before providing consent. The company's actions were also found to involve deceptive patterns, which are design choices that are intentionally misleading or confusing to users. The company's decision to install cookies before obtaining consent and failure to provide clear and complete information about their use is an example of a forced action and hidden information, respectively.


The AEPD found that the controller had breached Article 22(2) of the Act on Information Society Services and Electronic Commerce by failing to provide adequate information to users about the use of cookies and by placing unnecessary cookies without obtaining user consent. As a result, the controller was fined €2000, which was reduced by 40% to €1200 due to timely payment and admission of guilt.


D.A.A.A (Complainant) v. Radio Popular S.A.

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us