AEPD (Spain) - PS/00264/2020: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00264/2020 to AEPD (Spain) - PS/00264/2020) |
||
(One intermediate revision by one other user not shown) | |||
Line 48: | Line 48: | ||
}} | }} | ||
The Spanish DPA (AEPD) held that | The Spanish DPA (AEPD) held that a consumers and users association (ASOCAPAC) breached Article 22(2) LSSI. The first layer of the cookie banner and the cookie policy on their website did not contain sufficient information and a "refuse all cookies" option was missing. | ||
==English Summary== | ==English Summary== | ||
Line 67: | Line 67: | ||
The Spanish DPA (AEPD) held that: | The Spanish DPA (AEPD) held that: | ||
* i) the lack of sufficient information on the first layer of the cookie banner, | *i) the lack of sufficient information on the first layer of the cookie banner, | ||
* ii) the lack of information as to the type of cookie and the time it remained active, | *ii) the lack of information as to the type of cookie and the time it remained active, | ||
* iii) as well as the absence of a "refuse all cookie" option | *iii) as well as the absence of a "refuse all cookie" option | ||
constituted a breach of Article 22(2) of the Spanish Law on Services of the Information Society and Electronic Commerce (LSSI). | constituted a breach of Article 22(2) of the Spanish Law on Services of the Information Society and Electronic Commerce (LSSI). |
Latest revision as of 14:23, 13 December 2023
AEPD - PS/00264/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 22(2) Law on Services of the Information Society and Electronic Commerce |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 14.01.2021 |
Published: | 01.02.2021 |
Fine: | None |
Parties: | FACUA - Asociación de Consumidores y Usuarios en Acción Asociación de Afectados por las Asociaciones de Consumidores |
National Case Number/Name: | PS/00264/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) held that a consumers and users association (ASOCAPAC) breached Article 22(2) LSSI. The first layer of the cookie banner and the cookie policy on their website did not contain sufficient information and a "refuse all cookies" option was missing.
English Summary
Facts
FACUA - Asociación de Consumidores y Usuarios en Acción (FACUA) filed a complaint against Asociación de Afectados por las Asociaciones de Consumidores (ASOCAPAC). The complaint concerned ASOCAPAC's cookie banner.
The Spanish DPA (AEPD) identified the following proven facts. Firstly, the cookie banner on ASOCAPAC's website did not provide concise and intelligible information as it only mentions: "This website uses its own and third party cookies to offer you a better experience and service (...)". This undermines the clarity of the message.
The Spanish DPA also established that the cookie policy (in the second layer of the banner or on the Privacy Policy page) provided additional information on what cookies are and first and third party cookies are used for. However, there was no information on the identification and the time that they were active.
Additionally, the DPA found that there was no mechanism to reject all cookies.
Dispute
Is the lack of information and the lack of a possibility to "refuse all cookies" on a cookie banner a breach of Article 22(2) LSSI?
Holding
The Spanish DPA (AEPD) held that:
- i) the lack of sufficient information on the first layer of the cookie banner,
- ii) the lack of information as to the type of cookie and the time it remained active,
- iii) as well as the absence of a "refuse all cookie" option
constituted a breach of Article 22(2) of the Spanish Law on Services of the Information Society and Electronic Commerce (LSSI).
The Spanish DPA therefore imposed a warning sanction on the defendant, ASOCAPAC. The DPA also outlined that the defendant had a month to modify the cookie banner and introduce a new cookie policy.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/4 Procedure No.: PS / 00264/2020 938-0419 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00264/2020, instructed by the Spanish Agency for Data Protection for the ASSOCIATION OF AFFECTED BY THE ASSOCIATIONS DE CONSUMIDORES, with CIF .: G88568985, owner of the website, www.asocapa- c.com, (hereinafter, "the claimed association"), by virtue of a complaint filed by the association, FACUA - ASSOCIATION OF CONSUMERS AND USERS IN AC- TION, (hereinafter, “the claimant association”), and based on the following, BACKGROUND FIRST: On 01/09/20, you have an entry in this Agency, a complaint filed by the claimant association in which it indicated, among others, the following: "That from this association we have been able to verify how on the website www.a- socapac.com does not collect "legal notice" (or similar section) or information related to processing of personal data of any kind, which may be contrary, by a hand, to the content of Law 34/2002, of July 11, on services of the company of the information and electronic commerce and, on the other hand, the current regulations on ria of data protection. Likewise, from FACUA we have been able to verify that the Association of Consumed- affected by the Consumers Associations (ASOCAPAC), which they assume This web page actually belongs, it is not registered, contrary to what It is indicated on this website, in any public registry, as we have been informed directly from the General Ministry of Health, Consumption and Social Welfare and, more specifically, from the general sub-directorate of arbitration (who owns the requests in the register of consumer and user associations). Said with others In words, everything seems to indicate that we are facing a non-existent association and to a web page with some kind of malicious intent with respect to those the people who accessed it. We have been able to observe how the website https://www.asocapac.com/ is done use of cookie files without notifying the user of said website in any way about the use of lization of this class of files. Likewise, this website advertises two email addresses electronic mail that are intended for users of this platform to write to the same which, consequently, must imply the processing of personal data- (at least, the treatment of the email address of the person who sends the corresponding communication) ”. SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the SG of Data Inspection proceeded to carry out actions tions for its clarification, in accordance with article 65.4 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights chos digital (hereinafter LOPDGDD). Thus, dated 02/27/20 and 03/12/20 he addressed two written requests for information to the claimed entity. According to the certificate of the Electronic Notifications and Electronic Address Service Enabled, the request sent to the claimed association on 02/27/20, through C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/4 NOTIFIC @ service, was automatically rejected in the direction of des- tino on 03/10/20. According to a certificate from the State Postal and Telegraph Society, the request to send from the claimed association on 03/12/20, through the SICER service, was collected at destination on 06/03/20, by D. A.A.A .. *** NIF. 1. THIRD: On 09/16/20, by this Agency, the website is consulted reported, verifying the following aspects of the privacy policy and the cookie policy implemented on said page: A) Regarding the Privacy Policy: On the website https://www.asocapac.com/, through the tab, <<contact>>, located at the top of the page, a form is displayed where they are collected Users' personal data, such as name and email address. At the bottom of the web page there is a link, << Privacy Policy >>, through through which, it is redirected to the page, https://www.asocapac.com/politica-de-privacidad/, where it is informed of: the identity of the person in charge; The principles applied in the treatment data storage; Obtaining personal data; How to object to the treatment to; the purpose of the processing of personal data; the security of personal data- them; the content of other websites; the Cookies Policy; the legitimation for the data storage; the categories of personal data; recipients of personal data sonal; the acceptance and consent and the revocability of the consent. B) About the Cookies Policy: b.1.) When accessing the main page of the reported website, (first layer), there is a information banner about cookies at the bottom of it, with the following legend: "This website uses its own and third party cookies to offer you a better experience and service. By browsing or using our services, the user accepts the use we make of cookies ”. << Cookie settings >> - <<ACCEPT>> b.2.) If the cookie policy is accessed, (second layer), through the link << Cookie Settings >>, or through the link on the privacy policy page << Po- Cookies policy >>, it is redirected to the page displays a page https: //www.asocapa- c.com/politica-de-cookies/, where information is provided on: what are the cookies and the types of cookies used. On the process to deactivate cookies, the web refers the user to configure the browser installed on your terminal equipment. FOURTH: In view of the facts denounced from the verifications carried out by this Agency, the Director of the Spanish Agency for Data Protection, dated 09/22/20, agreed to initiate a sanctioning procedure against the claimed person, in under the established powers, for failing to comply with the provisions of article 22.2 of the LSSI, regarding the cookie policy of its website. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/4 FIFTH: Notified the initiation of the file on 10/03/20, to date, no It is clear that any response has been given to the initiation of the file within the period granted for this, for the appropriate legal purposes by the claimed entity. Of the actions carried out in this procedure, of the information and documents documentation presented by the parties, the following have been accredited: PROVEN FACTS 1º.- When accessing the home page there is a banner about cookies, which provides information not very concise or intelligible, since when using the expression: “This website uses own and third party cookies to offer you a better experience and service (…) ”, in lead to confusion, undermining the clarity that the message should have at this point. 2nd.- If the cookie policy is accessed, (second layer), through the link << Cookie Settings >>, or through the link on the privacy policy page << Po- Cookies policy >>, information is provided on: what are cookies or what for use their own and third-party cookies, but identification information is missing and the time they will be active. Nor is there a mechanism to reject all cookies. FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph second, from the LSSI. II The joint assessment of the documentary evidence in the procedure brings to the conclusion knowledge of the AEPD a vision of the denounced action that has been reflected It gives in the facts declared proven above related. Of the actions carried out, in relation to the "Cookies Policy", of the page claimed web, https://www.asocapac.com/, the following aspects have been verified: When accessing the home page there is a banner about cookies, which provides not very concise or intelligible information, since when using the expression: “This website uses own and third-party cookies to offer you a better experience and service (…) ”, They induce confusion, undermining the clarity that the message should have. In the second layer, (cookie policy), information is provided about what they are cookies or what they use cookies for, but information about the identification and the time they will be active. There is also no mechanism that allow the user to reject all cookies. The exposed facts suppose on the part of the claimed entity, the commission of a violation of article 22.2 of the LSSI. This offense is classified as "minor" in the Article 38.4 g), of the aforementioned Law, which considers as such: “Use al- data storage and recovery when the information has not been provided or obtained the consent of the recipient of the service in the terms required by Article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, according to with article 39 of the aforementioned LSSI. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/4 Based on these criteria, it is deemed appropriate to impose on the claimed entity a sanction of “APERCIBIMIENTO”, for the infraction of article 22.2 of the LSSI, res- pect of the cookie policy carried out on the website of its ownership. Therefore, in accordance with the foregoing, by the Director of the Spanish Agency Data Protection Policy, RESOLVES SEE: the ASSOCIATION OF AFFECTED BY THE ASSOCIATIONS OF CONSUMERS, with CIF .: G88568985, owner of the website, www.asocapac.- com, for the violation of article 22.2) of the LSSI, regarding its cookie policy on the website of its ownership. REQUIRE: the ASSOCIATION OF AFFECTED BY THE ASSOCIATIONS OF CONSUMERS so that, within a month from this act of notification, proceed to take the appropriate measures to adapt the website of your ownership, adapting the cookie policy, modifying the banner of the first layer, introducing providing information with clear and simple language, avoiding the use of phrases that lead to confusion or detract from the clarity of the message and expanding the information existing in the second layer identifying the cookies and the time they remain active. In addition, you must implement a mechanism that allows the rejection of all the cookies. NOTIFY: this resolution to the ASSOCIATION OF AFFECTED BY THE CONSUMER ASSOCIATIONS. In accordance with the provisions of article 50 of the LOPDPGDD, this Re- solution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the The parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within two months from the day after the notification tion of this act, as provided in article 46.1 of the aforementioned Law. Mar Spain Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es