AEPD (Spain) - EXP202210346: Difference between revisions
No edit summary |
No edit summary |
||
Line 64: | Line 64: | ||
=== Facts === | === Facts === | ||
A data subject represented by noyb (European Centre for Digital Rights) complained that a website installed non-essential cookies (which require consent) before the user had interacted with the cookie banner | A data subject represented by noyb (European Centre for Digital Rights) complained that a website installed non-essential cookies (which require consent) before the user had interacted with the cookie banner which is where the user can provide consent. | ||
They also pointed out that the notion of consent related to the cookie banner was flawed for two reasons. Firstly, consent in the cookie control panel was not granular. If you chose to not allow any of the groups of cookies, without moving the corresponding cursor from the "deactivated" position and click on the "save and exit" option, the website continues to use the same cookies detected at the beginning. | They also pointed out that the notion of consent related to the cookie banner was flawed for two reasons. Firstly, consent in the cookie control panel was not granular. If you chose to not allow any of the groups of cookies, without moving the corresponding cursor from the "deactivated" position and click on the "save and exit" option, the website continues to use the same cookies detected at the beginning. |
Revision as of 08:45, 4 October 2023
AEPD - PS-00079-2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 22.2 LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 07.06.2023 |
Published: | |
Fine: | 2000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00079-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | PS-00079-2023 (in ES) |
Initial Contributor: | sh |
The Spanish DPA fined a company €2,000 after noyb submitted a cookie complaint over the installation of non-essential cookies and flawed consent practices in relation a cookie banner.
English Summary
Facts
A data subject represented by noyb (European Centre for Digital Rights) complained that a website installed non-essential cookies (which require consent) before the user had interacted with the cookie banner which is where the user can provide consent.
They also pointed out that the notion of consent related to the cookie banner was flawed for two reasons. Firstly, consent in the cookie control panel was not granular. If you chose to not allow any of the groups of cookies, without moving the corresponding cursor from the "deactivated" position and click on the "save and exit" option, the website continues to use the same cookies detected at the beginning.
Secondly, there was no mechanism that made it possible to return to the control panel to modify consent once the use of cookies has been allowed and web browsing had begun, making the withdrawal of consent impossible.
Holding
The Spanish DPA entered the website for the first time and verified that, without accepting cookies or performing any action on the page, performance cookies (_ga; _gid; _ga_DZD8C8RYLW and_ga_G4RJWW5CDC3) as well as targeting cookies (_gat_gtag_UA_40838799_5; ts and _gat_gtag_UA_.30525763_4) were installed. They also identified cookies that could not be identified as technical or necessary but that belonged to a third party not responsible for the website (v1st; dmvk and nosotrosprivacidad).
They also verified that the "disabled cookies" pre-set settings had no impact. Clicking on the "save and exit" option without moving the “disabled cookies” setting, resulted in the website continuing to use the same cookies previously detected above.
They also verified that there is no mechanism that allows permanent access to the control panel after giving consent to the cookies.
The Spanish DPA fined the company €2,000 for infringing Article 22.2 LSSI. The fine was reduced to 1,600 because the company voluntarily paid the fine to terminate the DPA proceedings.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 File No.: EXP202210346 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On April 10, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against B.B.B. (hereinafter the claimed party). Notified of the initiation agreement and after analyzing the allegations presented, on June 7, 2023, the proposed resolution was issued that The following is transcribed: << File No.: EXP202210346 (PS/00079/2023) PROPOSED RESOLUTION OF THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: BACKGROUND FIRST: On 08/10/22, Ms. A.A.A. (hereinafter, the complaining party) filed claim before the Spanish Data Protection Agency. The claim is led against D. B.B.B. with NIF ***NIF.1, owner of the website ***URL.1 (in hereinafter, the claimed party), for the alleged violation of the regulations of data protection: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons in what regarding the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on Data Protection Personal Rights and Guarantee of Digital Rights (LOPDGDD), and against the Law 34/2002, of July 11, on Information Society Services and Commerce Electronic (LSSI), and taking into account the following: The reasons on which the claim was based were that, during the visit to the website found that it presents a banner from a consent platform (CMP) provided by OneTrust and that among other installed cookies is the IDE cookie of the domain doubleclick.net. SECOND: On 02/14/23, a request letter is sent to the OPENHOST entity S.L. to inform this Agency about the owner of the domain “cinenuevatribuna.es”. THIRD: On 02/16/23, this Agency received a letter from the entity OPENHOST S.L., where it states that: D. B.B.B. with DNI ***NIF.1, is the owner and owner of the digital news website: ***URL.1. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/20 FOURTH: On 02/17/23, this Agency accessed the website ***URL.1, verifying the following characteristics regarding its “Policy of Cookies": 1º.- Regarding the use of cookies before the user gives their consent: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on the website, it has been verified that cookies that are not technical or necessary, with the following characteristics: Performance cookies (4): These cookies allow us to quantify the number of visits and traffic sources in order to evaluate the performance of the site. Us They help you know which pages are the most or least visited and how ra visitors navigate the site. cookies Domain Description _ga ***DOMAIN.1 This cookie name is associated with Google Universal Analytics, which is an update important service most used analysis Google. This cookie is used to distinguish unique users by assigning a random-generated number mind as an identifier customer. It is included in each so- page legality on a site and is used to calculate the data of visitors, sessions and exchanges cloths for reports site analysis. _gid ***DOMAIN.1 This cookie is set by Google Analytics. Warehouse- na and updates a single value for each page visited and used to count and track pages seen. _ga_DZD8C8RYLW ***DOMAIN.1 Google Analytics uses this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/20 cookies Domain Description cookie to maintain the status of the session. _ga_G4RJW5CDC3 ***DOMAIN.1 Google Analytics uses this cookie to maintain the status of the session. Targeting cookies (3): These include social media cookies that are placed on sites to track users across the web and serve them ads. cookies Domain Description _gat_gtag_UA_ ***DOMAIN.1 This cookie is part of 40838799_5 Google Analytics and is used to limit applications des (application rate acceleration). ts ***DOMAIN.2 This cookie generally It is provided by PayPal and supports payment services on the website. _gat_gtag_UA_ ***DOMAIN.1 This cookie is part of 30525763_4 Google Analytics and is used to limit applications des (application rate acceleration). Unclassified cookies (3): Cookies that have not been classified as technical unique but your domain belongs to a third party cookies Domain Description v1st ***DOMAIN.2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/20 cookies Domain Description dmvk ***DOMAIN.2 usprivacy ***DOMAIN.2 2.- About the cookie information banner in the first layer: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without performing any action on the web page, a cookie information banner at the bottom of the main page with the next message: Your privacy is important to us: We and our <<partners>> store or access information on a device, such as cookies, and we process personal data, such as unique identifiers and standard information sent by a device, to personalized ads and content, ad and content measurement and information about the public, as well as to develop and improve products. with his permission, we and our partners may use location data precise geographic and identification through device characteristics. You may click to consent to us and our partners for us to carry out the processing previously described. So Alternatively, you can access more detailed information and change your preferences before granting or denying consent. Please note that some processing of your personal data may not require your consent, but you have the right to object to such processing. Your preferences are They will apply only to this website. You can change your preferences at any time. moment by re-entering this website or visiting our privacy policy. privacy. <<more options>> <<I accept>> If you access the second layer through the link <<more options>> the web displays a control panel where it is verified that the cookie groups are are pre-marked in the “OFF” option: Your privacy is important to us: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/20 We and our partners store or access information on devices, such as cookies, and we process personal data, such as unique identifiers and standard information sent by a device, for which purposes described below. You can click to give us your consent to us and our partners to carry out the processing for such purposes. Alternatively, you can click to deny your consent or access more detailed information and change your preferences before giving your consent. Your preferences will be applied only to this website. Please note that some processing of your personal data may not require your consent, but you have the right to refuse such consent. prosecution. You can change your preferences at any time by logging in. new to this website or by visiting our privacy policy. <<LOCK ALL>> <<AUTHORIZE ALL>> Precise geographic location data and identification through characteristics of devices “DISABLED” Personalized ads and content, ad and content measurement, public information and product development “OFF” Store or access information on a “DISABLED” device <<PARTNERS>> <<LEGITIMATE INTEREST>> <<SAVE AND EXIT>> In this control panel you can see that consent is not granular because both “analytical” and “advertising” cookies are in a single block: “Data precise geographical location and identification through the characteristics of devices: (OFF)” and the user is obliged to accept or reject them jointly. If you choose NOT to allow any of the cookie groups, without moving the cursor corresponding from the “disabled” position and click on the “save and save” option. exit” it is checked how the website continues to use the same non-technical cookies or necessary detected at the beginning. 3º.- About the information provided in the “Cookies Policy”: If you wish to access the information in the “Cookies Policy”, through the existing link at the bottom of the main page, the website redirects the user to a new page ***URL.2, which provides information about: what are the cookies; the cookies used on this website or how to deactivate or delete them cookies through the browser installed on the terminal equipment. 4º.- About how to withdraw consent to the use of cookies after having offered: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/20 It is verified that there is no mechanism that makes it possible to return to the control panel. cookie management control to modify the consent, once the use of cookies and started web browsing. FIFTH: On 04/10/23, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against the defendant, for the alleged violation of article 22.2 of the LSSI regarding the irregularities detected in the cookie policy of the website it owns. In the opening agreement determined that the sanction that could correspond given the evidence existing at the time of opening and without prejudice to what results from the instruction, would amount to a total of 2,000 euros. The irregularities detected regarding the cookie policy of the website in issue, in the present procedure were: a).- Regarding the installation of cookies on the terminal equipment prior to consent: When entering the website for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies that are not technical or necessary: - 4 Performance Cookies: _ga; _gid; _ga_DZD8C8RYLW and _ga_G4RJW5CDC3 - 3 Targeting Cookies: _gat_gtag_UA_40838799_5; ts and _gat_gtag_UA_ 30525763_4 - 3 Cookies that could not be identified if they are technical or necessary but the domain belongs to a third party not responsible for the website (***DOMAIN.2): v1st; dmvk and usprivacy b).- Regarding consent to the installation of cookies on the terminal equipment: In the cookie control panel, if you choose NOT to allow any of the groups of cookies, without moving the corresponding cursor from the “deactivated” position and Click on the “save and exit” option to see how the website continues to use the same cookies detected at the beginning. c).- About the withdrawal of consent for the use of cookies once given. Once consent has been given for the use of cookies through the option existing in the initial banner or through consent given in the control panel. troll checks that the cookies detected at the beginning are installed. However, it Verify that there is no mechanism or access to the permanent control panel that allows after having given consent to withdraw it. SIXTH: Once notified of the aforementioned initiation agreement, the defendant presented a document dated 05/12/23, in which he states the following: 1st. Regarding the complainant, this is the first news we have of this user since we have not received any type of complaint from them or in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/20 our contact emails that we have provided on our website: Contact: ***EMAIL.1 and Commercial Department: ***EMAIL.2. In this regard, we have not been able to give them the corresponding explanation or resolve any claim in this regard. It is very strange that a client formalizes a complaint, without previously having communicated with the company, it seems that what is sought is not to solve the problem but generate a sanction, which could have its origin in an action of unfair competition promoted by a competitor. 2nd. This company has been granted OPENHOST S.L. by service contract, Therefore, the following explanation has been provided by this company. 3rd. The operation of the website is as follows: The cookie management system that “cinenuevatribuna” has is the system Quancast, installed by us, by opennemas.com. All cookie management systems, in their default installation in the websites allow Google Analytics cookies. We on the websites of opennemas.com we have installed Quancast. Quancast is a company that has a consent management system Cookies and is accepted by IAB Europe and IAB Spain. IAB is the largest body in the world that regulates the entire issue of advertising, cookies and consents. More information: ***URL.3. 90% of digital media install Google Analytics cookies even without the reader accepting cookie consent. We understand that implicit consent for analytics cookies Google Analytics are necessary for the internal control of the website. Google Analytics analytics cookies are for management purposes only. internal and traffic control. Otherwise the owner of the news website is blind and cannot correctly manage its publishing business since it does not You would know what is happening in your environment. The cookies that are registered are anonymous with the sole intention of measuring user, that is, no type of tracking will be carried out on the user. user. And this use is legal since it is an access control system, but No user tracking. We can apply improvements to the cookie consent system so that BLOCK THE COOKIES of Google Analytics but you would be lost all control of real web traffic. 4th. The system that is being used is similar to the one used by media national dissemination tested as: (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/20 The use of cookies in these media is precisely tested to verify that the implemented system has the same operation. Starting from the presumption that these media, due to their own policy of legality and under the control of THE SPANISH DATA PROTECTION AGENCY, They are complying with the parameters of legal action. 5th. Regarding the infringement, as has been stated, it is considered that it is not of application of art 38.4.g of the LSSI to the extent that it is not being breached the art. 22 LSSI. 6th. If there is any doubt about the legality, we understand that the criteria for The acceptance of cookies must be unanimous and unified for all companies, given that the exclusion criterion is still interpretative 22.2 of the LSSI. For all the above, REQUEST: 1st. That the opposition to the file be considered formalized sanctioner. 2nd. Let it be considered that both in the way of acting, intentionality legality, is not a reason for infringement, given that anonymous use of cookies, to the sole global access control criteria, does not imply a violation of art. 22 of the LSSI 3rd. Let the clarification proceed, on the legality of the use of the anonymous usage tracking procedure of cookies without the need for express authorization from the user. SEVENTH: On 06/07/23, this Agency accessed the website ***URL.1, verifying the following characteristics regarding its “Policy of Cookies": 1º.- Regarding the use of cookies before the user gives their consent: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on the website, it has been verified that cookies that are not technical or necessary, with the following characteristics: Performance cookies (3): These cookies allow us to quantify the number of visits and traffic sources in order to evaluate the performance of the site. Us They help you know which pages are the most or least visited and how ra visitors navigate the site. cookies Domain Description _ga ***DOMAIN.1 This cookie name is- is associated with Google Universal Analytics, what is an important update analysis service sis most used C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/20 cookies Domain Description Google. This cookie is used list to distinguish users unique by assigning tion of a generating number do randomly like client identifier. HE included in each request of page on a site and used to calculate the data of visitors, sessions and campaigns for information month of site analysis. _gid ***DOMAIN.1 This cookie is configured given by Google Analyti- cs. Store and update a unique value for each page visited and used to count and track pages some views. _ga_1L5EYBL9XB ***DOMAIN.1 Google Analytics uses this cookie to keep the state of the session. Targeting cookies (3): These include social media cookies that are placed on sites to track users across the web and serve them ads. cookies Domain Description _gat_gtag_UA_ ***DOMAIN.1 This cookie is part of 30525763_4 Google Analytics and is used to limit applications des (application rate acceleration). b).- Regarding consent to the installation of cookies on the terminal equipment: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/20 In the cookie control panel, if you choose NOT to allow any of the groups of cookies, without moving the corresponding cursor from the “deactivated” position and Click on the “save and exit” option to see how the website continues to use the same cookies detected at the beginning. c).- About the withdrawal of consent for the use of cookies once given. Once consent has been given for the use of cookies through the option existing in the initial banner or through consent given in the panel control checks that the cookies detected at the beginning are installed. Nevertheless, It is verified that there is no mechanism or access to the control panel permanent that allows the user to later access the control panel to be able to modify your consent if you wish. PROVEN FACTS Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: First: The irregularities detected regarding the page's cookie policy website ***DOMAIN.1, in the verification carried out by this Agency on 02/17/23, were: a).- Regarding the installation of cookies on the terminal equipment prior to consent: When entering the website for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary: 4 Performance cookies: _ga; _gid; _ga_DZD8C8RYLW and _ga_G4RJW5CDC3; 3 Targeting Cookies: _gat_gtag_UA_40838799_5; ts and _gat_gtag_UA_ 30525763_4 and 3 Cookies that It has not been possible to identify whether they are technical or necessary but the domain belongs to a third party not responsible for the website (.dailymotion.com): v1st; dmvk and usprivacy b).- Regarding consent to the installation of cookies on the terminal equipment: In the cookie control panel, if you choose NOT to allow any of the groups of cookies, without moving the corresponding cursor from the position “disabled” and click on the “save and exit” option, you will see how the The website continues to use the same cookies detected at the beginning. c).- About the withdrawal of consent for the use of cookies once given. Once consent has been given for the use of cookies through the existing option in the initial banner or through consent given in The control panel checks that the cookies detected when principle. However, it is found that there is no mechanism or access to the permanent control panel that allows after having provided consent to withdraw. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/20 Second: The irregularities detected regarding the cookie policy of the website ***DOMAIN.1, in the verification carried out by this Agency the 06/07/23, after having received the written allegations regarding the initiation of the file, were: a).- Regarding the installation of cookies on the terminal equipment prior to consent: When entering the website for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary: 3 Performance cookies: _ga; _gid; _ga_1L5EYBL9XB and 1 Targeting Cookies: _gat_gtag_UA_30525763_4 b).- Regarding consent to the installation of cookies on the terminal equipment: In the cookie control panel, if you choose NOT to allow any of the groups of cookies, without moving the corresponding cursor from the position “disabled” and click on the “save and exit” option, you will see how the The website continues to use the same cookies detected at the beginning. c).- About the withdrawal of consent for the use of cookies once given. Once consent has been given for the use of cookies through the existing option in the initial banner or through consent given in The control panel checks that the cookies detected when principle. However, it is found that there is no mechanism or access to the permanent control panel that allows after having provided consent to withdraw. FOUNDATIONS OF LAW YO.- Competence: The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection, in accordance with the provisions of art. 43.1, second paragraph, of the LSSI Law. II Prior to examining the substantive issue, it is necessary to analyze the issues alleged by the defendant. The complainant states, among others, that “the cookie management system, in its default installation on the websites, allow Google Analytics cookies and that the implicit consent of Google Analytics analytics cookies are necessary for the internal control of the website.” It also states that, “Google Analytics analytics cookies are only for internal management and traffic control, are anonymous with the sole intention of measuring user, that is, no type of tracking will be carried out on the user. And this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/20 It is legal to use since it is an access control system, but it is not tracked. user". Finally, he states that, “improvements could be applied to the consent system.” of cookies so that it BLOCKS THE COOKIES of Google Analytics Analytics but “All control of real web traffic would be lost.” Well, indicate that the second section of article 22 of the LSSI establishes: “Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after they have been provided clear and complete information on its use, in particular on the purposes of data processing, in accordance with the provisions of the Law Organic 15/1999, of December 13, Protection of Personal Data Staff. Where technically possible and effective, the consent of the recipient to accept the processing of the data may be facilitated through the use of the appropriate settings of the browser or other applications. The above will not prevent possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary necessary, for the provision of an information society service expressly requested by the recipient.” This article 22.2 refers to Organic Law 15/1999, of December 13, of protection of personal data, in relation to the requirements of the informed consent, although currently this referral must be interpreted made to the RGPD, applicable from May 25, 2018, and to the LOPDGDD, applicable since December 7, 2018. In this sense, the RGPD itself, in its recital 30, mentions these technologies and its impact on data protection: “Natural persons can be associated with online identifiers facilitated by your devices, applications, tools and protocols, such as Internet protocol addresses, session identifiers in the form of "cookies" or other identifiers, such as identification tags radio frequency. This can leave traces that, in particular, when combined with unique identifiers and other data received by servers, may be used to create profiles of natural persons and identify them.” Therefore, when the use of a cookie entails the processing of data personal, Those responsible for such treatment must ensure compliance with the additional requirements established by data protection regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/20 personal, in particular in relation to special categories of data. HE It will be considered that there is processing of personal data when the user is identified by a name or email address that identifies you (for example, by be a registered user) or when unique identifiers are used that allow us to distinguish some users from others and carry out individualized monitoring of the same (for example, an advertising ID). However, in relation to the attention to data protection rights of the interested parties, if the person responsible for the treatment is not in a position to identify the interested party, may deny the request under the terms of article 12.2 of the RGPD. (except when the interested party in its exercise will provide additional information through which the person responsible for the treatment was able to identify it). Furthermore, in order to determine the scope of the regulations, it is necessary point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI the cookies used for any of the following purposes: - Only allow communication between the user's computer and the network. - Strictly provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/201210, interpreted that among cookies Excepted would be those whose purpose is: - “User input” cookies: Session and user input cookies. user are often used to track the user's actions when filling out the forms online on several pages, or as a shopping cart to make the Track items that the user has selected when clicking a button. - Authentication or user identification cookies (session only). - User security cookies: For example, cookies used to detect erroneous and repeated attempts to connect to a website. - Media player session cookies. - Session cookies for load balancing. - User interface customization cookies. - Certain plug-in cookies to exchange content social: The exception only applies to users who have decided to maintain the open session. That said, for reasons of transparency it is recommended to inform, at least with generic nature, of those cookies excluded from the scope of application of the article 22.2 of the LSSI, either in the cookies policy or in the privacy policy itself (example: “This website uses cookies that allow the operation and provision of the services offered therein"). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/20 In any case, it must be taken into account that the same cookie may have more than a purpose (multipurpose cookies), so there is the possibility that a cookie is exempt from the scope of application of article 22.2 of the LSSI for one or more several of its purposes and not for others, the latter being subject to the scope of application of said precept. This should, in the words of WG29, “incite website owners to use a different cookie for each purpose.” In relation to cookie management or configuration systems, when they are used Multipurpose cookies with two or more different purposes and not exempt from the scope application of article 22.2 of the LSSI, it must be guaranteed that these cookies They are only used if all the purposes they group together are accepted, that is, if a cookie serves two purposes, but the user only accepts one of them, the cookie does not should be used, and this unless the management system used allows for a differentiated treatment for the different purposes of these multipurpose cookies, so that it is possible that if the user accepts one of its purposes and not others, the cookie only operates with the accepted purpose. About the different types of cookies according to their purpose for which the data is processed obtained through cookies, in this case the use has been detected of the following cookies: - Three Performance Cookies: _ga; _gid; _ga_1L5EYBL9XB. Cookies, for analysis, measurement or performance, are those that allow the responsible for monitoring and analyzing the behavior of the users of the websites to which they are linked, including the quantification of the impacts of advertisements. The information collected through this type of cookies is used in measuring the activity of the websites, application or platform, with the in order to introduce improvements based on the analysis of usage data made by the service users. Regarding the processing of data collected through analysis cookies or performance, the GT29 has stated that they are not exempt from the duty to obtain a informed consent for its use. - A Targeting Cookies: _gat_gtag_UA_30525763_4 include social media cookies that are placed on sites to track users. users on the web and provide them with advertisements. They store information about user behavior obtained through continuous observation of their browsing habits, allowing you to develop a specific profile to display advertising based on it. Regarding the processing of data collected through targeting cookies, the GT29 has stated that they are not exempt from the duty to obtain consent informed for use. III.- a).- Regarding the installation of cookies on the terminal equipment prior to consent: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/20 Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, about the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie involves processing that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies “User input Cookies would be excepted” (those used to fill out forms, or manage a shopping cart); cookies user (session) authentication or identification; user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of complement (plug-in) to exchange social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent about its use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before using any other type of cookies, both first and third-party, session or persistent. In the verification carried out by this Agency on the claimed website, it was possible note that, upon entering the main page and without performing any action on the mime or accept cookies, the following non-necessary cookies were used: When entering the website for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies that are not technical or necessary and therefore must obtain the user's informed consent. Are cookies are: 3 Performance cookies: _ga; _gid; _ga_1L5EYBL9XB and 1 Targeting Cookies: _gat_gtag_UA_30525763_4 b).- Regarding consent to the installation of cookies on the terminal equipment: To use non-excepted cookies, it will be necessary to obtain the express consent of the user. This consent can be obtained by clicking on, “accept” or inferring it from an unequivocal action carried out by the user that denotes that consent has been unequivocally produced. By Therefore, the mere inactivity of the user, scrolling or browsing the website, is not will consider for these purposes a clear affirmative action under no circumstances and will not will involve the provision of consent itself. Likewise, access to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/20 the second layer if the information is presented in layers, as well as navigation necessary for the user to manage their preferences in relation to cookies in the control panel, it is not considered an active behavior that can derive the acceptance of cookies. The existence of “Cookie Walls” is also not permitted, that is, windows pop-ups that block content and access to the website, forcing the user to accept the use of cookies to access the page and continue browsing without offer the user any type of alternative that allows them to freely manage their preferences regarding the use of cookies. If the option is to go to a second layer or cookie control panel, the link should take the user directly to said configuration panel. To facilitate the selection, in the panel it can be implemented, in addition to a management system granular cookies, two more buttons, one to accept all cookies and another to reject them all. If the user saves his choice without having selected any cookie, it will be understood that you have rejected all cookies. In relation to this second possibility, in no case are pre-checked boxes in favor of accepting cookies. If for the configuration of cookies, the website refers to the browser configuration installed on the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the editor opts for this option, it must also offer, and in any case, a mechanism that allow you to reject the use of cookies and/or do so on a granular basis. On the other hand, the withdrawal of the consent previously given by the user It must be able to be done at any time. To this end, the editor must offer a mechanism that makes it possible to easily withdraw consent at any time. moment. That facility will be considered to exist, for example, when the user have simple and permanent access to the management or configuration system of the cookies. If the editor's cookie management or configuration system does not allow you to avoid the use of third-party cookies, once accepted by the user, will be provided information about tools provided by the browser and third parties, must warn that, if the user accepts third-party cookies and subsequently wishes delete them, you must do so from your own browser or the system enabled by the third parties for this. In the case at hand, in the cookie control panel, if you choose NO allow any of the cookie groups, without moving the corresponding cursor from the “disabled” position and click on the “save and exit” option. Check how the website continues to use the same cookies detected at the beginning. c).- About the withdrawal of consent for the use of cookies once given. Users must be able to withdraw the consent previously granted at any time. any time To this end, the publisher must ensure that it provides information to users in their cookie policy on how they can withdraw consent. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/20 The user must be able to revoke consent easily. The system that offer to withdraw consent should be as easy as that used when presto. This facility will be considered to exist, for example, when the user has simple and permanent access to the cookie management or configuration system. In this case, once consent has been given for the use of cookies to through the existing option in the initial banner or through consent provided The control panel checks that the cookies detected at the beginning are installed. cheep. However, it is found that there is no mechanism or access to the control panel. permanent control that allows after having given consent to withdraw it. In view of the above, the following is issued: MOTION FOR RESOLUTION FIRST: That by the Director of the Spanish Data Protection Agency san- tion to D. B.B.B.. with NIF ***NIF.1, owner of the website ***URL.1, for an infringement tion of Article 22.2 of the LSSI regarding the irregularities detected in the policy. ca of cookies from the website it owns, with a fine of 2,000 euros (two a thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this proceeding cession, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction tion, the penalty would be established at 1,600 euros (one thousand six hundred euros) and its payment will imply the termination of the procedure. The effectiveness of this reduction will be conditioned upon the withdrawal or renunciation of any administrative action or resource. attempt against the sanction. In the event that you choose to proceed with the voluntary payment of the amount specified above, Subsequently, in accordance with the provisions of the cited article 85.2, it must be carried out. tive by depositing it into the restricted account No. ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency in the banking entity- CAIXABANK, S.A., indicating in the concept the reference number of the procedure. ment that appears in the heading of this document and the cause, for voluntary payment voluntary, reduction of the amount of the penalty. Likewise, you must send proof of entering the General Inspection Subdirectorate to proceed to close the experi- tooth. In its virtue, you are notified of the above, and the process is made clear to you. ment so that within a period of TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it considers pertinent, of in accordance with article 89.2 of the LPACAP. C.C.C. INSTRUCTOR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/20 File Index EXP202210346: 08-10-2022 Claim 08-11-2022 Claim 08-11-2022 Claim 04-10-2022 Resolution to NOYB EUROPEAN CENTER FOR DIGITAL 01-11-2022 Replacement resource 11-15-2022 Resolution to NOYB EUROPEAN CENTER FOR DIGITAL 11-15-2022 Communication to NOYB EUROPEAN CENTER FOR DIGITAL 12-21-2022 Cookie diligence 01-13-2023 Google Analytics cookies diligence 02-14-2023 OPENHOST request to OPENHOST, S.L. 02-16-2023 Response to request from OPEN HOST SL 02-17-2023 NIC Diligence 02-17-2023 Diligence opennemas 02-17-2023 Inf. planned actions. 04-11-2023 Startup agreement 05-04-2023 Claimant Info. 05-12-2023 Brief of allegations >> SECOND: On July 2, 2023, the claimed party has proceeded to pay the sanction in the amount of 1600 euros making use of the reduction provided in the proposed resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource pending. administrative against the sanction, in relation to the facts referred to in the resolution proposal. FOUNDATIONS OF LAW Yo Competence In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of services of the information society and electronic commerce (hereinafter LSSI) and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." Finally, the fourth additional provision "Procedure in relation to the powers attributed to the Spanish Data Protection Agency by others C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/20 laws" establishes that: "The provisions of Title VIII and its implementing regulations will apply to the procedures that the Spanish Agency for the Protection of Data would have to be processed in the exercise of the powers attributed to it by other laws." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202210346, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to B.B.B.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/20 day following the notification of this act, as provided for in article 46.1 of the referred Law. 968-171022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es