Spanish DPA in multiple cookie fines

Spain: AEPD issues four fines for unlawful use of cookies and cookie banners. Here’s what you can do to comply with data protection regulations and prevent fines.
Table of Contents
What do Innova Resort, Garantiza Automoción, Petrolis Independents and Twitter have in common?
Well, in June, they were all fined by the Spanish Data Protection Authority (AEPD) for unlawful use of cookies on their websites.
All company websites used cookies but, according to the AEPD, failed to inform rightfully about them and collect their users’ consent.

#1 – Used cookies without user consent

The Innova Resort S.L. is fined €3.000 for storing analytics and advertising cookies without requesting their user’s consent.
Cookies were stored onto the visitors’ computers without the user carrying out any action. Furthermore, users were instructed to use browser settings to control and delete cookies.

How to solve the issue?

  • Collect your visitors’ consent to cookies.
  • Block cookies until you get consent.
  • Make sure your users can manage cookies directly in your cookie pop-up.

#2 – Users not presented with a cookie banner

The Garantiza Automoción S.L. has also been fined €3.000 for not presenting users with a cookie banner or cookie pop-up.
Thereby, the website did not provide users with the opportunity to be informed about cookies or to make any choices regarding the cookies which were stored on their computers.
Although the website made a link to a cookie policy available, the mechanism did not give users the possibility to manage their data choices.

How to solve the issue?

  • Get a solid cookie pop-up to inform your users of cookies.
  • Let them know what data you collect and who has access to the data.
  • Providing users with the possibility to manage their own personal data – it pays off in goodwill.

#3 – No mechanism to manage cookies or consent

The AEPD has fined Petrolis Independents S.L. €3.000 for not letting users choose between which cookies to accept and which to reject.
Technically speaking, their cookie policy did not include a mechanism that enabled the control of cookie consents in a granular way.
Furthermore, the cookie policy did not mention that unnecessary cookies were set when the user entered the website without having carried out any action.

How to solve the issue?

  • Provide users with options for accepting or rejecting cookies by purpose (e.g., statistics or marketing).
  • Inform your users about cookies in a cookie banner. Be transparent about the data you collect.

#4 – No options to reject cookies

The AEPD fined Twitter €30.000 for their use of cookies.
According to the AEPD, Twitter’s cookie banner states that, by using Twitter, the user accepts the cookie policy.
Twitter provides no further link in the banner on how to reject the use of cookies. Nor is there any information in the pop-up on how to manage or configure data processing options on the Twitter Platform.
Again, cookies are stored on the users’ computers as they enter the site before they have accepted or rejected cookies.
Therefore, the AEPD holds that Twitter has violated Spanish Data Protection laws. The AEPD has required Twitter to take appropriate actions within one month.

How to solve the issue?

  • Provide users with an option to reject cookies if they want.
  • Block cookies until you have obtained consent to cookies.
  • Provide access to your site/content also when users reject cookies – cookie walls are unlawful.