Excerpt
A controller was fined by the AEPD for inadequate cookie information on its website, including a lack of information on tracking cookies and a vague cookie policy without an easy uninstall tool.
Our analysis
The case involves a complaint of non-compliance regarding the processing of personal data and the use of cookies on a company's website. The complainant alleged that employees could access all types of personal data, regardless of their tasks, without using login credentials or passwords. The complainant also claimed that the company's website did not provide adequate information regarding the use of cookies. The first pop-up banner did not inform users about the existence of tracking cookies, and the full cookie policy was vague and did not provide an easy way to uninstall cookies. The Spanish data protection authority (AEPD) was tasked with investigating the complaint and assessing whether the processing was safeguarded with appropriate technical and organisational measures. The AEPD also had to verify whether the controller had respected the Spanish implementation of the ePrivacy Directive and had provided clear and complete information on the use of cookies. After a thorough investigation, the AEPD found that some of the complainant's statements were not accurate. The company had improved its security measures by limiting employees' access to personal data and resources required to carry out their tasks. Printed manuals and personal data were stored in locked filing cabinets, and access to the office was only allowed to authorised personnel. However, the AEPD did find that the company's website was not compliant with Article 22(2) of the Spanish ePrivacy Directive. The first layer of the pop-up notification did not provide sufficient information for users to understand the use of cookies. Phrases like "improve our services" were not descriptive enough to inform users about the types of cookies used. The second layer of the cookie policy did not describe the types of cookies used or provide information about their sources (first or third-party). Additionally, there was no tool to manage cookies in a granular way. As a result of these findings, the AEPD determined that the company had violated Article 22(2) of the Spanish ePrivacy Directive and imposed appropriate sanctions.
Outcome
Following an investigation into a complaint of general non-compliance regarding processing, the AEPD found that some statements were no longer accurate in terms of appropriate technical and organisational measures. However, they found a violation of Article 22(2) of the LSSI with regards to the Cookie Policy. As a result, the case was partly upheld, and a fine of €1500 was imposed on the controller.
Parties
D.A.A.A. (Claimant) and Happy Friday, SL
Case number
PS/00473/2019
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.