Excerpt
Just Landed, a Spanish entity, has been fined by the Spanish DPA for having a privacy policy written only in English and not providing a mechanism to accept, reject or manage cookies.
Our analysis
The Spanish DPA has fined the entity behind the URL.1 website for violating GDPR and LOPDGDD regulations. The website's privacy policy was written only in English, despite the entity being located in Spanish territory which amounts to language discontinuity. Additionally, the website did not have a banner or notice related to the existence of cookies, and there was no link or mechanism for users to accept, reject or manage cookie installation. Cookies were loaded automatically without any prior action, amounting to forced action. These deceptive patterns violate article 13 of the GDPR, which requires the provision of information to interested parties at the time of data collection.
Outcome
The outcome is a €3,000 sanction for improper use of data storage and recovery devices without consent. JUST LANDED, SL must include a Spanish "privacy policy" and information on cookies, with a mechanism for users to manage preferences. They must also ensure cookies are not installed unnecessarily. Failure to comply may result in a €30,000 fine.
Parties
Mr. A.A.A. (Claimant) and Just Landed, S.L.
Case number
PS/00036/2020
Decision
Related deceptive patterns
The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.