The case reported the violation of several data protection laws by two websites of a controller. The AEPD received a complaint indicating that both websites lacked a privacy and cookies policy, or any other kind of information regarding the data that they process. The investigation conducted by the AEPD revealed that one of the websites had a privacy and cookies policy, but both websites gathered consent from the user in a generic way, with no option to specify the processing they wanted to consent to. The AEPD found that the website placed unnecessary third-party cookies on the user's device without consent. The cookie banner only provided generic information and did not have a button to reject the cookies in its first layer. An option to reject cookies was included in the banner during the proceeding. In the second layer, the user could reject unnecessary cookies. However, the authority found that, even when exercising this option, the cookies were still used.
The AEPD held that the cookie banner of the website violated Article 22(2) of the Spanish Information Society Services Act (LSSI), which implements the e-Privacy Directive, as it did not properly inform the user that the website used third-party cookies with marketing purposes that would create a profile based on the user's navigation behaviour to show them advertisements related to their preferences. It also violated Article 22(2) by not allowing users to reject such cookies, using them without consent, even when the user had deactivated the option. Furthermore, during the investigation, the controller deleted the second website, which lacked a privacy and cookies policy, redirecting the user to the first website when using its domain. The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose the specific processing they wanted to consent to. The case involved several deceptive patterns, including forced action and hidden information. The websites gathered consent from users in a generic way, without allowing them to choose specific processing. The cookie banner provided only generic information, with no button to reject the cookies in the first layer. The controller also used unnecessary third-party cookies without consent, even when the user had exercised the option to reject them.