Currently, the Spanish Data Protection Agency (Agencia Española de Protección de Datos – AEPD) is particularly interested in regularising the massive non-fulfilment of the data protection regulations regarding the use of cookies on websites. Specifically, in pursuing those website owners who do not appropriately regulate the operation of the sites, and consequently fining them.
Along these lines, a resolution was published on 9th June 2020 wherein a fine for Euro 30,000 was imposed for the breach of article 22.2 of the Law on Information Society Services (Ley de Servicios de la Sociedad de la Información – LSSI). This type of sanction is beginning to become recurrent in the actions of the AEPD.
In this resolution it is determined that the sanctioned company does not correctly provide information regarding the cookies it uses, neither does it clearly identify the purpose of each cookie or the third-party collaborators who may make use of the information collected by the cookies.
Likewise, the page uses cookies, which are installed directly, without requesting any action on the part of the user accessing the website.
In this case, the actions were initiated upon the complaint of an individual, whereupon the AEPD embarked upon the corresponding measures of investigation.
In particular, it was able to determine the following:
a) upon accessing the home page of the site, and without having taken any kind of action, it is verified that up to 7 different cookies are stored automatically in the browser.
b) in the cookie banner, there is no link or button of any kind, which allows the user to reject said cookies, or which redirects the user to a second layer for the management and set up of the cookies.
c) for information purposes, a link exists on the homepage with the necessary information regarding what cookies consist of, why they are used, and how to manage their use on the browsers and operating systems of mobile telephones. However, there is no option facilitated for actually rejecting their use, either totally or in part.
All of the above, as a whole represents an infringement of article 22.2 of the LSSI, according to which:
“Service providers may use devices for the storage and recuperation of data in the terminal equipment of the recipients, on the condition that the latter have given their consent having been provided with clear and complete information regarding their use, in particular, for the purposes of data processing […].
When it is technically possible and effective, the consent of the recipient for accepting data processing may be facilitated through the use of the appropriate parameters of the browser or other applications.
The above shall not impede the possible storage or access of a technical nature for the sole purpose of carrying out a communication through an electronic communications network or, to the extent strictly necessary, for the provision of an information society service expressly requested by the recipient”.
This breach is typified as minor in article 38.4 g) of the LSSI, which considers as such: “Using devices for the storage and recuperation of data when information had not been provided or the consent of the recipient of the service had not been obtained under the terms required by article 22.2”, and which may be sanctioned with a fine of up to Euro 30,000, in accordance with article 39 of the aforementioned LSSI.
For this reason, it is highly recommended that the specific recommendations published both by the AEPD itself at the end of 2019, as well as by the European Data Protection Committee recently in May are revised in detail and implemented regarding the use of cookies.
- https://www.aepd.es/sites/default/files/2019-12/guia-cookies_1.pdf
- https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
Andreas Terán
Vilá Abogados
For more information, please contact:
10th July 2020