Ikea Ibérica fined by Spanish DPA
Today (December 4, 2019), Ikea Ibérica was fined €10.000 by the Spanish Data Protection Authority (AEPD) for placing cookies on users’ computers and smartphones without informing them properly and without obtaining valid consent.
Cookies were set as soon as the users entered the website, not giving them an option to reject cookies. Moreover, Ikea Ibérica did not provide users with clear information on the purposes of cookies or personal data processing, only stating that cookies were used to provide users with a “better user experience”.
The AEPD has noted that the practice had not completely been stopped at the time of the press release (December 2019).
Why did Ikea get fined? Lack of valid consent!
In January 2019, the Spanish Data Protection Authority (AEPD) complained that a website placed cookies on the user’s computer/phone. Without obtaining free, specific, informed, and unambiguous consent as required by the LSSI and the GDPR when using tracking cookies (i.e., cookies that process personal data).
The AEPD verified that the website placed 23 cookies, among them cookies from Google Analytics (_ga, _gat, _gid), Facebook (_fr), Twitter (personalization_id), and Adfrom.net (_uid).
Users were prompted with a cookie banner on the first entry, which stated that cookies were used to “make browsing much easier”. All cookies were placed well before the users clicked the only option in the banner: the ‘OK’ button.
Users were instructed to block cookies through browser settings, also including ‘strictly necessary’ cookies like, e.g., shopping cart cookies rendering the website impossible to use for a consumer.
Ikea Ibérica is fined for violating article 22.2 of Law 34/2002 of the LSSI (Services of the Information Society and Electronic Commerce).
How can you become GDPR cookie compliant?
You may use services, plugins, or platforms on your website for website traffic analysis, retargeting, or other purposes. In most cases, these ‘free’ services place tracking cookies in your users’ browsers to track their behavior across the internet for marketing purposes.
When you use these third-party cookies (e.g., Google Analytics, Facebook Pixel, Sleeknote, etc.), you are the data controller and thereby responsible for collecting and storing your users’ valid consent to cookies.
According to the ePrivacy Directive (cookie law) and the GDPR, when using cookies on your website, you have to:
- Inform your visitors of cookies (who owns them; their purpose; lifespan).
- Provide your visitors with the option to decline cookies (and tracking).
- Hold back cookies before consent is obtained.
- Do not assume consent with pre-ticked boxes.
- Collect and store consents for 5 years (in case of inspection by DPA).
Cookie Information helps you become GDPR cookie compliant
Cookie Information’s Cookie Consent Solution provides your website with the necessary tools to become ePrivacy and GDPR compliant.
Our cookie pop-up:
- Collects your users’ valid consent to cookies (the banner)
- Blocks cookies before consent are given (prior consent)
- Provides users with the possibility to reject cookies on your website (privacy controls)
- Stores user consents (in case of inspection by DPA)
By giving your users and potential customers the option to protect their data, you not only comply with the GDPR you also increase your brand value and build consumer trust.