Ikea Ibérica fined by Spanish DPA
Today (December 4, 2019) Ikea Ibérica was fined €10.000 by the Spanish Data Protection Authority (AEPD) for placing cookies on users’ computers and smartphones without informing properly and without obtaining valid consent.
Cookies were set as soon as the users entered the website, not giving them an option to reject cookies. Moreover, Ikea Ibérica did not provide users with clear information on the purposes of cookies or personal data processing, only stating that cookies were used to provide users with a “better user experience”.
The AEPD has noted that the practice has not completely been stopped at the time of the press release (December 2019).
Why Ikea got fined? Lack of valid consent!
In January 2019, the Spanish Data Protection Authority (AEPD) received a complaint that a website placed cookies on the user’s computer/phone without having obtained a free, specific, informed and unambiguous consent as required by the LSSI and the GDPR when using tracking cookies (i.e. cookies that process personal data).
The AEPD verified that the website placed 23 cookies, among them cookies from Google Analytics (_ga, _gat, _gid), from Facebook (_fr), Twitter (personalization_id) and Adfrom.net (_uid).
Users were prompted with a cookie banner on first entry which stated that cookies were used to “make browsing much easier”. All cookies were placed well before the users clicked the only option in the banner: the ‘OK’ button.
Users were instructed to block cookies through browser settings, also including ‘strictly necessary’ cookies like e.g. shopping cart cookies rendering the website basically impossible to use for a consumer.
Ikea Ibérica is fined for violating article 22.2 of Law 34/2002 of the LSSI (Services of the Information Society and electronic Commerce).
How can you become GDPR cookie compliant?
You may use services, plugins or platforms on your website for website traffic analysis, for retargeting or other purposes. In most cases, these ‘free’ services place tracking cookies in your users’ browser to track their behavior across the internet for marketing purposes.
When you use these third-party cookies (e.g. Google Analytics, Facebook Pixel, Sleeknote etc.) you are the data controller and thereby responsible for collecting and storing your users’ valid consent to cookies.
According to the ePrivacy Directive (cookie law) and the GDPR, when using cookies on your website you have to:
- Inform your visitors of cookies (who owns them; their purpose; lifespan).
- Provide your visitors with the option to decline cookies (and tracking).
- Hold back cookies before consent is obtained.
- Do not assume consent with pre-ticked boxes.
- Collect and store consents for 5 years (in case of inspection by DPA).
Cookie Information helps you become GDPR cookie compliant
Cookie Information’s Cookie Consent Solution provides your website with the necessary tools to becoming ePrivacy and GDPR compliant.
Our cookie pop-up:
- Collects your users’ valid consent to cookies (the banner)
- Blocks cookies before consent is given (prior consent)
- Provides users with possibility to reject cookies on your website (privacy controls)
- Stores user consents (in case of inspection by DPA)
By giving your users and potential customers the option to protect their personal data, you not only comply with the GDPR, you also increase your brand value and build consumer trust.