The Spanish Data Protection Agency (“AEPD”) appears to be targeting compliance with regulations on cookies. So much so, that on June 9, 2020, it published another decision, establishing a fine of €30,000 for breaches of article 22.2) of Information Society and Electronic Commerce Services Act 34/2002 of July 11, 2002 (“Spanish Information Society Services Act”).
Don’t miss our content
SubscribeThe Spanish Data Protection Agency (“AEPD”) appears to be targeting compliance with regulations on cookies. So much so, that on June 9, 2020, it published another decision, establishing a fine of €30,000 for breaches of article 22.2) of Information Society and Electronic Commerce Services Act 34/2002 of July 11, 2002 (“Spanish Information Society Services Act”). This is not the first time we have reported on fines imposed by the AEPD.
In its decision, the AEPD considers that the company in question had not (i) correctly provided information about the cookies it used, or (ii) clearly identified the purpose of each cookie or the associated third parties. It also held that some of the cookies were installed directly, without requesting any action from users visiting the website.
The complainant in this case was a private citizen who prompted an investigation by the AEPD, which found that:
- The reported website automatically stores a series of cookies in the web browser without any action by the user.
- The banner displayed when the website is accessed has no link to disable cookies or redirect to a second level for cookie settings.
- The bottom of the website does have a link that redirects users to the cookie policy, containing information on cookie use and on how to manage them using the web browser’s settings panel or internal option settings, but it does not offer the possibility to reject them or to carry out granular cookie management.
Based on the above, the AEPD issued a fine of €30,000 for a minor breach of article 22.2 of the Information Society Act. This is the highest fine that can be given for these kinds of breaches and, when deciding to impose it, the AEPD considered a number of aggravating factors, which included the presence of intent, the duration of the breach (from May 2018), the number of users affected by the breach, the nature and extent of the harm caused, and the volume of billing affected. The company in question was also given one month to modify its website.
In the past year, the AEPD has updated its Guidelines on cookies and similar technologies. Subsequently, on May 6, 2020, the European Data Protection Board also updated its Guidelines on consent to address issues such as the requirements for valid consent to install cookies.
Authors: Pedro Mendez de Vigo and Adaya Esteban
Don’t miss our content
Subscribe