Mr. B.B.B (Data Subject) v. Ms. A.A.A (Owner of Commercial Website)

€1,800 in fines


The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.

Our analysis

Ms. A.A.A., the owner of a commercial website, was the subject of a complaint lodged by a data subject, Mr. B.B.B., who claimed that the website failed to comply with GDPR Article 6 and Article 13, along with Spanish national law Article 22.2 LSSI. The data subject highlighted three issues with the controller's website: the contact form, the Privacy Policy, and the Cookie Policy. Firstly, the contact form on the website did not provide the data subject with the option to consent to the processing of their personal data, including their name and email address. Secondly, the website's Privacy Policy failed to disclose all relevant information as required by GDPR Article 13, thus the controller did not fulfil their obligation to inform. This deceptive pattern of hidden information was seen as a lack of consent violating GDPR Article 6. Thirdly, the use of third-party cookies on the website was neither necessary nor functional, and the user was unable to reject these cookies, amounting to forced action. 
Additionally, Google cookies were already in use even before the data subject actively and expressly gave their consent or took action on the website. The Cookie Policy did not provide detailed information about the cookies in use, such as the activity time, mission, or precise identification of the cookies. The processing of personal data without the consent of the data subject violated GDPR Article 6. Furthermore, the data subject was not informed about the use of cookies, and the controller did not offer the data subject the opportunity to reject them, thus violating Article 22.2 LSSI. The DPA further explained that the information provided to the user about the use of storage devices and data recovery, as well as the purposes of processing (including cookies), must be disclosed in accordance with GDPR provisions.


The Spanish Data Protection Authority fined a controller €3,000 for processing personal data without consent, violating Article 6 GDPR and Article 13 GDPR for the Privacy Policy. The controller also violated Article 22(2) LSSI by using cookies without consent and failing to provide clear information on data processing purposes. The controller had to adapt the website to comply with GDPR requirements and paid a reduced fine of €1,800.


Mr. B.B.B (Data Subject) v. Ms. A.A.A (Owner of Commercial Website)

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us