Spanish Data Protection Authority fines companies for violations to cookie laws

Spanish Data Protection Authority fines companies for violations to cookie laws

Spain: AEPD issues four fines for unlawful use of cookies and cookie banners. In short, here’s what you can do to comply with data protection regulations and prevent fines.


Spanish Data Protection Authority hands out cookie fines

What do Innova Resort, Garantiza Automoción, Petrolis Independents and Twitter have in common?

Well, in June they were all fined by the Spanish Data Protection Authority (AEPD) for unlawful use of cookies on their websites.

All company websites used cookies but according to the AEPD failed to inform rightfully about cookies and collect their users’ consent to cookies.

#1 - Used cookies without user consent

The Innova Resort S.L. is fined €3.000 for storing analytics and advertising cookies without requesting their users’ consent.

Cookies were stored onto the visitors’ computers without the user carrying out any action. Furthermore, users were instructed to use browser settings to control and delete cookies.

How to solve issue?

  • Collect your visitors' consent to cookies.
  • Block cookies until you get consent.
  • Make sure your users can manage cookies directly in your cookie pop-up.

Link: AEPD Resolution against Innova Resort S.L. (in Spanish only)

#2 - Users not presented with a cookie banner

The Garantiza Automoción S.L. has also been fined €3.000 for not presenting users with a cookie banner or cookie pop-up.

Thereby, the website did not provide users with the opportunity to be informed about cookies or to make any choices regarding the cookies which were stored on their computers.

Although the website made a link to a cookie policy available, the mechanism did not give users the possibility to manage their data choices.

How to solve issue?

  • Get a solid cookie pop-up to inform your users of cookies.
  • Let them know what data you collect and who has access to the data.
  • Provide users with the possibility to manage their own personal data – it pays off in goodwill.

Link: AEPD Resolution against Garantiza Automoción S.L. (in Spanish only)

#3 - No mechanism to manage cookies or consent

The AEPD has fined Petrolis Independents S.L. €3.000 for not letting users choose between which cookies to accept and which to reject.

Technically speaking, their cookie policy did not include a mechanism which enabled the control of cookie consents in a granular way.

Furthermore, the cookie policy did not mention that unnecessary cookies were set when the user entered the website without having carried out any action.

How to solve issue?

  • Provide users with options for accepting or rejecting cookies by purpose (e.g. statistic or marketing).
  • Inform your users about cookies in a cookie banner. Be transparent about the data you collect.

Link: AEPD Resolution against Petrolis Independents S.L. (in Spanish only)

#4 - No possibilities to reject cookies

AEPD fines Twitter €30.000 for their use of cookies.

According to the AEPD, Twitter’s cookie banner states that, by using Twitter, the user accepts the cookie policy.

Twitter provides no further link in the banner on how to reject the use of cookies. Nor are there any information in the pop-up on how to manage or configure data processing options on the Twitter Platform.

Again, cookies are stored on the users’ computers as they enter the site before they have accepted or rejected cookies.

Therefore, AEPD holds that Twitter has violated Spanish Data Protection laws. The AEPD has required Twitter to take appropriate actions within one month.

How to solve issue?

  • Provide users with an option to reject cookies if they want.
  • Block cookies until you have obtained consent to cookies.
  • Provide access to your site/content also when users reject cookies – cookie walls are unlawful.

Link: AEPD Resolution against Twitter Inc. (in Spanish only)

Checklist to comply with ePrivacy (cookie law) and GDPR when using cookies

Here’s a short checklist to comply with both national and international rules on cookies and data processing.

CHECKLIST for collecting valid consent to cookies

  • Block cookies before you get consent
  • Offer an easy way for your user to decline cookies
  • Inform your users of cookies
  • Respect their privacy choices
  • Provide an easy way for change or withdraw consent
  • Store their consents for 5 years
Book demo

For more information on European laws on cookies, see these links:

Link: ePrivacy and GDPR - What do these EU regulations say about website cookies?

Link: Spanish Airline Vueling fined for not letting users reject cookies