AEPD (Spain) - EXP202210347
AEPD - PS-00051-2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 22.2 LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 500000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00051-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | PS-00051-2023 (in ES) |
Initial Contributor: | sh |
The Spanish DPA fined Massimo Dutti S.A €5,000 for implementing non-essential cookies without consent and utilising dark patterns to acquire consent. This decision is the first of noyb’s cookie complaints to result in a fine.
English Summary
Facts
A data subject, represented by noyb (European Centre for Digital Rights), disputed both the cookies employed by Massimo Dutti S.A. on their website and the dark patterns utilised by Massimo Dutti S.A. to entice users to 'accept all cookies.'
Checking the cookies installed before any interaction with the cookie banner revealed the setting of non-essential cookies. For example, two performance cookies ("AKA_A2" and "RT") which are used by Akamai Technologies, Inc. (a computing platform for the delivery of global Internet content of client companies) to optimise the response time between the visitor and the website. Four cookies were also detected that could not be classified (ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although Massimo Dutti, S.A classified them in s list that appears in the control panel as strictly necessary cookies.
Regarding dark patterns, there were several issues observed with the consent banner in the initial layer. Firstly, it lacked a 'reject all' button for non-essential cookies. Secondly, the 'accept all' button appeared similar to a regular button, while the 'manage cookies' option was presented as a mere link. Moreover, the 'accept all' button had a different color, which was also misleading. Lastly, withdrawing consent was not as straightforward as granting it. Once you had accepted all cookies or a specific group of cookies through the control panel, there was no clear and easy way to later withdraw your consent.
Holding
The Spanish DPA initially dismissed the complaint because the noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of Article 5.6 of the LPACAP (The Common Administrative Procedure of Public Administrations) and analysing the documentation provided by the claimant where she confers her representation to the organisation noyb.
The Spanish Data Protection Agency conducted three separate checks of Massimo Dutti’s website:
1. Check on 16/03/23:
- Identified the use of cookies without prior user consent, including performance cookies and others.
- Found that the initial cookie banner lacked clear and complete information on the purposes of cookie processing.
- Detected the absence of a mechanism to withdraw consent once given.
2. Check on 19/04/23:
- Again observed the use of cookies without prior user consent.
- Noted improvements in providing access to a cookie management panel but found issues with rejecting previously accepted non-technical cookies.
3. Check on 06/06/23:
- Observed that the website had addressed some deficiencies, allowing users to withdraw consent effectively.
- The website no longer used cookies that were previously consented to, reverting to using only necessary cookies.
Since not enough had improved between the dates of 16/03/23 and 06/06/23, Massimo Dutti S.A. was held to breach Article 22.2 of the LSSI (Law of Information Society Services and Electronic Commerce) and was fined €5,000 by the Spanish DPA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24 File No.: EXP202210347 (PS/00051/2023) RESOLUTION OF SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following, BACKGROUND FIRST: Dated 08/10/22, A.A.A. (hereinafter, the complaining party) filed claim before the Spanish Data Protection Agency. The claim was directed against GRUPO MASSIMO DUTTI, S.A. with NIE.: A78115201, responsible for the website ***URL.1, (hereinafter, the claimed party), for the alleged violation of data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, relating to Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD), Organic Law 3/2018, of December 5, of Personal Data Protection and Guarantee of Digital Rights (LOPDGDD) and Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI). The facts, according to statements by the complaining party, are related to the use of cookies and obtaining user consent. On the visit that the complaining party claims to have created the website on 09/28/21, it presented a banner in the first layer of consent in which there was no possibility of “reject all cookies” that were not technical or necessary; Furthermore, the design of the links was misleading because the button that leads to the option to “manage the cookies” in the control panel uses a “link” layout – highlighted text or underlined―, while the “Accept all cookies” button uses a design typical “button” – square box with text. Besides, the colors and contrast of the buttons are also misleading as different colors have been used for the different options that were presented. It is also indicated in the claim that it is not It is as easy to withdraw consent as it is to give it and once given, clicking on the option “accept all cookies” or “accept some group of cookies” through the control panel, it is not possible to remove it if you wish to do so later. SECOND: On 04/10/22, by the Director of the Spanish Agency for Data Protection an agreement is issued to inadmissibility for processing because, after the analysis made on the documents provided and the concurrent circumstances, it is not considered the representation of the complaining party to be sufficiently accredited THIRD: On 11/01/22, the claimant presented a written appeal for replacement that is estimated by the Director of the Spanish Agency for the Protection of Data on 11/15/22, taking into consideration the provisions of article 5.6 of the LPACAP and once the document provided by the claimant where confers its representation to the organization NOYB, (European Center for Digital Rights). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/24 FOURTH: On 03/16/23, this Agency accessed the website ***URL.1, confirming the following characteristics about its “Policy of Cookies": A.- About the cookies detected when accessing the website: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on The website has been verified to use the following cookies: a.1).- Strictly necessary cookies (4): Cookies Domain Description _abck ***DOMAIN.1 This cookie is used to detect and defend yourself when a client try to play a cookie. This cookie manages the interaction with online bots and take the measurements appropriate days. bm_sz ***DOMAIN.1 This cookie is set by the provider dor Akamai Bot Manager. This cookie is used to manage the interaction with online bots. It also helps in prevention of fraud. OptanonCon- ***DOMAIN.1 This cookie is set by OneTrust feeling to store details about the category of cookies on the site and veri- determine whether visitors have given or re- consent to the use of each category. ak_bmsc ***DOMAIN.1 Akamai uses this cookie to op- optimize site security by dis- distinguish between humans and bots. a.2).- Performance cookies (2): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/24 cookies Domain Description AKA_A2 ***DOMAIN.1 Akamai sets this cookie to improve performance and optimize the response time between the visit tant and the website. RT ***DOMAIN.1 Akamai sets this cookie to measure page loading time or other associated timers two with the page. Note: Akamai Technologies, Inc. is a corporation that provides, among others services, of a distributed computing platform for the delivery of global Internet content and application delivery. stores the server content of a client company on its own servers. When a user (client) wants to access that content (usually digital media such as Audio, Graphics, Animation, Video), all or part is downloaded from an Akamai server instead of the company's customer. The Cookie “AKA_A2” appears on the website ***URL.2 as strictly necessary, (***URL.3) The “RT” Cookie, although it appears on the website ***URL.2, has performance but is necessary. saria to improve the performance of the website, (***URL.4), According to the entity, these cookies allow us to count visits and sources of circulation in order to measure and improve the performance of the website. All the information we collect These cookies are aggregated and therefore anonymous. a.3).- Unclassified cookies (4): Cookies that could not be classified but in The list of cookies existing in the control panel of the website appears. cen indicated by the person responsible for the website as “strictly necessary cookies”. sarias.” Domain cookie key ITXSESSIONID ***DOMAIN.1 MDSESSION ***DOMAIN.1 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/24 Domain cookie key bm_my ***DOMAIN.1 bm_sv ***DOMAIN.1 Note: These cookies that could not be classified appear in the list of cookies existing in the control panel of the website as “cookies strictly necessary” ***URL.1 <<Cookie settings>> <<Strictly necessary cookies>> <<information about cookies>> B.- About the existing information regarding cookies on the home page and about the management of these: When you enter the website for the first time, a banner appears on the main page of information about cookies, with the following message: “By clicking “Accept all cookies”, you agree to cookies being stored on your device to improve site navigation, analyze site usage, and collaborate with our marketing studies. <<Cookie Policy>> <<Cookie settings>> <<Accept all cookies>> If you wish to manage the use of cookies through the link <<Settings cookies>> existing in the information banner, the website displays a control panel where the different groups of pre-marked cookies appear in the position of “OFF”: “Your privacy: Cookies and other similar technologies are a part essential to how our Platform works. The main objective of the cookies is to make your browsing experience more comfortable and efficient and to improve our services and the Platform itself. Likewise, we use cookies to be able to show you advertising that is of interest to you when you visit third-party websites and apps. Here you can get all the information about the cookies that we use and you can activate and/or deactivate them according to with your preferences, except for those Cookies that are strictly necessary for the operation of the Platform. Please note that blocking Some cookies may affect your experience on the Platform and the operation of it. By clicking “Confirm my preferences”, will save the cookie selection you have made. If you have not selected no option, pressing this button will be equivalent to rejecting all cookies. For more information you can visit our Cookies Policy. <<More information>> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/24 Technical or necessary cookies <<Always active>> These cookies are necessary for the Platform to function and cannot be deactivate in our systems. They are usually configured to respond to actions taken by you to receive services, such as adjust your privacy preferences, log in to the site, or cover forms. You can set your browser to block or alert the presence of these cookies, but some parts of the Platform do not they will work. Functionality or personalization cookies OFF ON These cookies allow the Platform to offer better functionality and personalization. They may be established by us or by third parties whose services we have added to our pages. If you do not allow these cookies some of our services will not work correctly. For activate or deactivate cookies use the corresponding button. "Active" means that cookies can be used. "Inactive" means that cookies they cannot be used. <<Cookie information>> Analysis cookies OFF ON These cookies allow us to count visits and sources of circulation to be able to measure and improve the performance of our Platform. They help us to know which pages are the most or least popular, and see how many people They visit the site. If you do not allow these cookies we will not know when you visited our Platform. To activate or deactivate cookies use the button correspondent. "Active" means that cookies can be used. "Inactive" means that the cookies cannot be used. <<Cookie information>> Cookies for advertising OFF ON These cookies may be throughout the Platform, placed by our advertising partners. These third parties may use them to create a profile of your interests and show you relevant ads on other sites. If you do not allow these cookies, you may receive less targeted advertising. To activate or deactivate the cookies uses the corresponding button. "Active" means that cookies are they can use. "Inactive" means that the cookies cannot be used. <<Cookie information>> Social network cookies OFF ON These cookies are set by a number of social media services that we have added to the site to allow you to share our content with your friends and networks. They are able to track your browser through other sites and create a profile of your interests. This may modify the content and messages you find on other web pages you visit. But C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/24 If you allow these cookies, you will not be able to view or use these sharing tools. To activate or deactivate cookies, use the corresponding button. "Active" means that cookies can be used. "Inactive" means that cookies they cannot be used. <<Cookie information>> <<Confirm my preferences>> <<Reject all>> <<Allow all>> If you choose <<Confirm my preferences>> without having modified any of the boxes from the “OFF” position to the “ON” position, or by clicking on the option <<Reject all>> with the intention of rejecting cookies that are not technical or necessary in both cases, it is checked how the website continues to use cookies detected at the beginning, that is: Cookies detected as Necessary Cookies according to Unclassified Cookies that technical or necessary. the “Cookies Policy” of the GRUPO entity Akamai Technologies, Inc. MASSIMO DUTTI states that they are necessary in its “Policy of Cookies” _abck AKA_A2 ITXSESSIONID bm_sz RT MDSESSION OptanonConsent bm_mi ak_bmsc bm_sv C).- About the possibility of withdrawing consent to the use of cookies once borrowed. Once consent has been given for the use of cookies through the option existing in the initial banner or through consent given in the panel control <<Accept all>>, it is verified that the following cookies are installed own and third parties: Cookie Provider Cookie Provider MUID Bing.com ttp Tiktok.com ts Creativecdn.com U Creativecdn.com CONSEND Google.com NID Google.com SOCS Google.com AEC Google.com CLID Clarity.com _pinterest_ct_ua ct.pinterest.com _ga Google.com 1P_JAR Google.com _gid Google.com However, it is found that there is no mechanism or access to the control panel. control that allows you to later withdraw the consent given and reject these cookies that had previously been accepted. D.- About the information provided in the “Cookies Policy: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/24 If you access the “Cookies Policy”, through the link in the banner about cookies of the first layer or through the link at the bottom of the main page, the website redirects the user to a new page ***URL.5, where informs about what cookies are; the different types of cookies that exist and are informs about the type of cookies used on the website and their purpose. I also know informs how to update the browser of the terminal equipment to manage the cookies. If you want to know the list of cookies that the website says it uses, you must access through the existing links in the control panel (<<Information of the cookies>>), where the list of cookies used by the website and their purpose appear. SIXTH: On 03/22/23, by the Directorate of the Spanish Agency for Data Protection, a sanctioning procedure is initiated against the claimed entity, appreciate reasonable indications of violation of the provisions of art. 22.2 of the LSSI, for the irregularities detected on its website regarding the “Policy of Cookies”, that is, due to the absence of sufficient information in the first layer about of the purposes of the installation of cookies, with an initial penalty of 5,000 euros and due to the impossibility of managing the cookies used once the consent, with an initial penalty of 5,000 euros. SEVENTH: On 04/18/23, the complaining entity presents a written statement of allegations to the initiation of the file in which, among others, it indicates: First.- In relation to the first of the alleged violations of the article 22.2 of the LSSI File No.: EXP202210347 (PS/00051/2023)Allegations to the Startup Agreement attributed to my client “due to the absence of information enough in the first layer about the purposes of installing the cookies", it should be noted that in the initial Agreement this assumption Non-compliance is described in detail as follows: “The second of the banners reproduced (and the one that has been proven to be established at the time of approval of this initiation agreement) is considered that does not provide “clear and complete” information about the purposes of the treatment. On the contrary, it simply states that cookies will be used “to improve site navigation, analyze site use and collaborate with our studies for marketing.” It is considered that such a generic reference lacks sufficient specificity of the purposes of use and would thereby violate the aforementioned article 22 of the Law 34/2002, of July 11, on Information Society Services and electronic commerce”. That is, as can be deduced from the literal wording of the Initiation Agreement, the text that It was published on 09/23/2022, it did meet the requirement of including sufficient information in the first layer about the purposes of the installation of cookies, while the text that was published On 03/16/2023 it did not meet this requirement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/24 Faced with this conclusion included in the Initiation Agreement as a reason for attribute a breach of the aforementioned Article 22.2 LSSI to my client, it must be demonstrate the total equivalence in terms of information on purposes of the installation of cookies among the texts published on 09/23/2022 and 03/16/2023, as explained in the following table: Text published on 09/23/2022 Text published on 03/16/2023 “…analytical purposes…” “…to improve site navigation, analyze its use…” “...to show you related advertising“...collaborate with our studies to with your preferences from your marketing…” Browsing habits and your profile…” Therefore, given this total equivalence in terms of information on purposes of the installation of cookies between the texts published on 09/23/2022 and 03/16/2023, any breach of the Article must be flatly denied 22.2 LSSI that is intended to be based on the absence of sufficient information in the first layer about the purposes of the installation of cookies. In any case, even when it is considered that the text that was published on 03/16/2023 in the first layer complies with the Regulations, it has been recovered and the one to which it is made is currently published reference in the Initiation Agreement as published on 09/23/2022. It should be noted that the return to the wording that was published on 09/23/2022, has no cause, to any extent, in the avoidance or rectification of a breach. Rather, what is intended is a improvement on the basis of the means of compliance that already existed, that is, that to which the Initiation Agreement refers as published on 03/16/2023. In fact, the publication of the text that was shown on 03/16/2023 occurred due to a human error that resulted in said text being published instead of the which was published on 09/23/2022. The text change now made, with the incorporation of the one to which referenced in the Initiation Agreement as published on 09/23/2022, it is You can see in the screenshot below: We use our own and third-party cookies for analytical and to show you advertising related to your preferences from your browsing habits and your profile. You can configure or reject the cookies by clicking on “Cookie Settings”. You can too accept all cookies by pressing the “Accept all cookies” button. For more information you can visit our. <<Cookie Policy>> <<Cookie settings>> <<Accept all cookies>> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/24 Second.- In relation to the second of the alleged violations of the article 22.2 of the LSSI attributed to my client “due to the impossibility of managing the cookies used once the initial consent has been given”, it should be noted that such infringement is flatly denied, while the user has always willing and has the permanent possibility of managing cookies once Once the initial consent has been given through an access link to the “Cookie settings” where you can reject cookies with a simple click. Specifically, once the user accepts cookies on the home page or home of the Website and select the market (geographical) and catalog (women / man) that you want to access, you always have it available in the horizontal menu located in the footer of the website the “Cookie Settings” link (shot 1 below) with which you can access the console where you can reject cookies simply by clicking on the “Reject all” button (shot 2 below) or accept them again if you had rejected them previously (capture 3), through the corresponding buttons. Even though this possibility of accessing the “Cookie Settings” has present and easily accessible to the user at all times (with which, as has been said, non-compliance must be ruled out. reference to the Initiation Agreement), the access “Cookie Settings”, as described below. It must be made clear that this multiplication, reiteration or redundancy has no cause, to any extent, in the avoidance or cure of a breach. What is intended is the reinforcement of compliance, through of facilitating access to the “Cookie Settings”, which is nothing more than a facilitation or improvement on the basis of the means of compliance already existed. Specifically, in addition to the access link to the “Cookie Settings”, which has always been in the horizontal menu of the footer of the Website: - This same link has been included as the last of the links in the vertical menu located on the left side of the footer, just below the horizontal menu, as seen in the following screenshot, and where is the link to the Cookie Information or the Cookie Policy Privacy. - This same link has been included on the initial or home page of the Site website, just below the buttons to choose if you want to go to the catalog of a woman or a man, as seen in the following screenshot. For all of the above, through these Allegations, I come to REQUEST that this document is considered presented and the previous ones formulated Allegations in the Reference File, and prior to the appropriate procedures, In due course, a Resolution is issued deeming the non-existence of infringement C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/24 any attributable to MASSIMO DUTTI in relation to the events described and the indicated regulations, proceeding to file the actions. EIGHTH: On 04/19/23, this Agency accessed, once again, the website ***URL.1, stating the following characteristics about its “Policy of Cookies”: A.- About the cookies detected when accessing the website: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on the web page in question and using the cookie detection tool of the Google Chrome browser (<right mouse button> inspections application cookies) it has been verified that the following cookies are used: Cookies detected as Necessary Cookies according to Unclassified Cookies that technical or necessary. the “Cookies Policy” of the GRUPO entity Akamai Technologies, Inc. MASSIMO DUTTI states that they are necessary in its “Policy of Cookies” _abck AKA_A2 ITXSESSIONID bm_sz RT MDSESSION OptanonConsent bm_mi ak_bmsc bm_sv B.- About the existing information regarding cookies on the home page and about the management of these: When you enter the website for the first time, a banner appears on the main page of information about cookies, with the following message: We use our own and third-party cookies for analytical purposes and to show you advertising related to your preferences based on your browsing habits and your profile. You can configure or reject cookies by clicking on “Cookie settings”. You can also accept all cookies by clicking the “Accept all cookies” button. For more information you can visit our. <<Cookie Policy>> <<Cookie settings>> <<Accept all cookies>> If you wish to manage the use of cookies through the link <<Settings cookies>> existing in the information banner, the website displays a control panel where the different groups of pre-marked cookies appear in the position of “OFF”: Technical or necessary cookies <<Always active>> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/24 Functionality or personalization cookies OFF ON <<Cookie information>> Analysis cookies OFF ON <<Cookie information>> Cookies for advertising OFF ON <<Cookie information>> Social network cookies OFF ON <<Cookie information>> <<Confirm my preferences>> <<Reject all>> <<Allow all>> If you choose <<Confirm my preferences>> without having modified any of the boxes from the “OFF” position to the “ON” position, or by clicking on the option <<Reject all>> with the intention of rejecting cookies that are not technical or necessary in both cases, it is checked how the website continues to use the same cookies detected at the beginning. C).- About the possibility of withdrawing consent to the use of cookies once borrowed. Once consent has been given for the use of cookies through the option existing in the initial banner or through consent given in the panel control <<Accept all>>, it is verified that the following cookies are installed third parties: MUID .clarity.ms /__Secure-1PAPISID .google.es / APISID .google.es /__Secure-3PSID .google.es / SSID A .google.es /__Secure-1PSID .google.es / __Secure-3PAPISID .google.com /SAPISID .google.com / SSID .google.com /HSID A .google.com / SID .google.es /__Secure-1PSID .google.com / SIDCC .google.com /SID .google.com / __Secure-3PSID .google.com /__Secure-3PAPISID .google.es / MUID 3 .bing.com /__Secure-1PSIDCC .google.com / APISID .google.com /__Secure-3PSIDCC .google.com / SAPISID .google.es /__Secure-1PAPISID .google.com / ANONCHK .c.clarity.ms /CLID .clarity.ms / NID .google.es /SEARCH_E .google.com / MR .c.clarity.ms /ts .creativecdn.com/ _RwBf .bing.com /ACLUSR .bing.com / ACL .bing.com /OIDR .bing.com / SM .c.clarity.ms /BFB .bing.com / C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/24 BFBUSR .bing.com /SRCHUSR .bing.com / SRCHD .bing.com /_ttp .tiktok.com / 1P_JAR .google.com /AID .google.com / tt_viewer .teads.tv /AEC .google.com / CONSENT .google.com /SOCS .google.com / NID .google.com /OTZ .google.com / u .creativecdn.com /OID .bing.com / OIDI .bing.com /_pinterest_ct_ua .ct.pinterest.com MR .c.bing.com /SRCHHPGUSR .bing.com / SRCHUID .bing.com /SRM_B .c.bing.com / There is a link to the control panel at the bottom of the website <<cookie configuration>> that allows the user to manage the groups of cookies through the control panel. It is observed that now, (after accepting all cookies) groups are pre-checked “ON”. However, if you wish to reject the use of cookies by clicking on the option <<reject all>> or moving the cursor from the “ON” position to the “OFF” of the different groups of cookies, and clicking on <<confirm my preferences>>, it is observed that the website continues to use third-party cookies installed when they were accepted at the beginning, making it impossible for the user, if desired change your mind, now deny consent once given. D.- About the information provided in the “Cookies Policy: If you access the “Cookies Policy”, through the link in the banner about cookies of the first layer or through the link at the bottom of The main page, the website displays a document: ***URL.6 where information is provided on what cookies are; the different types of cookies that They exist and information is provided on the type of cookies used on the website and their purpose. It also provides information on how to update the terminal equipment's browser to manage cookies. If you want to know the list of cookies that the website says it uses, you must access through the existing links in the control panel (<<Information of the cookies>>), where the list of cookies used by the website and their purpose appear. NINTH: On 04/24/23, a proposed resolution was formulated in the sense of that the Director of the AEPD sanction the claimed party, for violation of as established in article 22.2 of the LSSI, since consent cannot be withdrawn, a once provided, in the use of cookies that are not technical or necessary, with a sanction of 5,000 euros (five thousand euros) and considering that the message that was provides in the information banner about cookies: “We use our own cookies and from third parties for analytical purposes and to show you advertising related to your preferences based on your browsing habits and your profile. You can configure or reject cookies by clicking on “Cookie Settings”. You can too accept all cookies by pressing the “Accept all cookies” button. For more C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 13/24 information you can visit our”, is equivalent in terms of information about purposes of the installation of cookies with that published on 09/23/22, does not contradict with the provisions of article 22.2 of the LSSI. TENTH: On 05/17/23, the claimed entity presented allegations to the proposed resolution, where he stated, among others, the following: First.- In relation to the violation of article 22.2 of the LSSI attributed to me principal due to “the impossibility of rejecting the cookies used once initial consent has been given, even if there is a permanent link to the control panel”, it should be noted that in the Proposed Resolution this alleged breach is described in detail as follows: “It has been proven that there is a mechanism or access to the control panel permanent control at the bottom of the page <<settings cookies>> that allows access to the control panel for the management of the cookies. However, if you wish to reject the use of cookies by clicking on the <<reject all>> option or by moving the course from the “ON” position to the “OFF” position and clicking on <<confirm my preferences>>, it is observed that the website continues to use cookies from third parties installed when they were initially accepted.” The operation described in the Proposed Resolution (“…if desired reject the use of cookies by clicking on the option <<reject all>> or moving the course from the “ON” position to the “OFF” position and By clicking on <<confirm my preferences>>, you can see that the website is still using third-party cookies installed when they were accepted at beginning.”), is not complete to the extent that, as explained below, below, although the rejected cookies were still visible to the user, in no case were they used since they were blocked (it is spoken in passed due to the novelty that is explained in the Second Allegation). In this sense, clarify that the user could reject the cookies used once the initial consent has been given through the control panel, in so much that: - Tools were used to review the acceptance of cookies in execution time. - All cookies were reviewed just before use to ensure verify that the user had accepted the category in which they were incorporates the cookie. - In the event that the user has rejected cookies during the navigation, they were still in the browser's cookie system, but in no case were they used, since their use was blocked through of Javascript code. - This operation applied to both first-party and first-party cookies, as well as third-party cookies, with the exception of cookies strictly necessary. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/24 In section “2. Cookie blocking model” of the document “Cookie system” which is incorporated as Annex I, is described and exemplified this model used until now on the Site and consisting of blocking the use of cookies rejected by the user through Javascript code. It should be noted that the operational novelty that follows this model and that stated in the Second Allegation, has been implemented as an improvement to the accreditation of compliance with the Regulations, since in no case We understand that the blocking model just described can considered a breach thereof. Before well, the cookie blocking model was considered to be a model fully in accordance with the applicable Regulations and, specifically, complied with the Article 22.2 of the LSSI on which the sanction to me is intended to be based principal. That is, it has evolved from a cookie blocking system rejected that already complied with the Regulations, towards a model of elimination / expiration of rejected cookies (explained in the Second Claim) that improves the accreditation of compliance with Article 22.2 of the LSSI. Second.- Therefore, within the process of continuous improvement in accreditation compliance and out of concern for the user, my client has implemented a technological solution so that cookies rejected are deleted/expired from the cookie storage system of the browser. This technological improvement solution is applied (i) to own or third-party cookies. first part, and (ii) on third party cookies, in the latter case always that there are no technical limitations that prevent the elimination of cookies. Specifically, in section “3. “Cookie deletion/expiration model” document “Cookie System” that is incorporated as Annex I, is explicit and details that a model has been implemented by which they are eliminated / expire from the browser all cookies that have not been accepted by the user. Specifically, if a user rejects cookies, none of the cookies that are integrated through Google Tag Manager will be used. Therefore, None of the cookies indicated in the following list will be used: (…). Third.- Additionally, and also within the same improvement process continues in the accreditation of compliance and for the concern for the user, my client has implemented a change in the Cookies Policy (accessible from the cookies banner or from the footer of the Site). The change in the Cookies Policy is aimed at improving the information and transparency in the event that the management or configuration system of the cookies do not allow cookies to be deleted once accepted by the user, for which provides information on the tools provided by the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/24 browsers, warning that if the user accepts third-party cookies and later you want to delete them, you can do so from your own browser. The information in this sense has been incorporated in the second paragraphs, third and fourth of point “4. How can I manage the use of Cookies in this Platform?” of the Cookies Policy. For all of the above, through these Allegations, I come to REQUEST that this document is considered presented and the previous ones formulated Allegations in the Reference File, and prior to the appropriate procedures, Resolution is issued estimating the non-existence of any infringement attributable to MASSIMO DUTTI in relation to the events described and the indicated regulations, proceeding to file the actions. ELEVENTH: On 06/06/23, this Agency accesses, new, to the website ***URL.1, verifying the following characteristics about the its “Cookies Policy”: A.- About the cookies detected when accessing the website: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on the web page in question and using the cookie detection tool of the Google Chrome browser (<right mouse button> inspections application cookies) it has been verified that the following cookies are used: Cookies detected as Necessary Cookies according to Unclassified Cookies that technical or necessary. the “Cookies Policy” of the GRUPO entity Akamai Technologies, Inc. MASSIMO DUTTI states that they are necessary in its “Policy of Cookies” _abck AKA_A2 ITXSESSIONID bm_sz RT MDSESSION OptanonConsent bm_mi ak_bmsc bm_sv B.- About the existing information regarding cookies on the home page and about the management of these: When you enter the website for the first time, a banner appears on the main page of information about cookies, with the following message: We use our own and third-party cookies for analytical purposes and to show you advertising related to your preferences based on your browsing habits and your profile. You can configure or reject cookies by clicking on “Cookie settings”. You can also accept all cookies by clicking the “Accept all cookies” button. For more information you can visit our. <<Cookie Policy>> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/24 <<Cookie settings>> <<Accept all cookies>> If you wish to manage the use of cookies through the link <<Settings cookies>> existing in the information banner, the website displays a control panel where the different groups of pre-marked cookies appear in the position of “OFF”: Technical or necessary cookies <<Always active>> Functionality or personalization cookies OFF ON <<Cookie information>> Analysis cookies OFF ON <<Cookie information>> Cookies for advertising OFF ON <<Cookie information>> Social network cookies OFF ON <<Cookie information>> <<Confirm my preferences>> <<Reject all>> <<Allow all>> If you choose <<Confirm my preferences>> without having modified any of the boxes from the “OFF” position to the “ON” position, or by clicking on the option <<Reject all>> with the intention of rejecting cookies that are not technical or necessary in both cases, it is checked how the website continues to use the same cookies detected at the beginning. C).- About the possibility of withdrawing consent to the use of cookies once borrowed. Once consent has been given for the use of cookies through the option existing in the initial banner or through consent given in the panel control <<Accept all>>, it is verified that the following cookies are installed third parties: MUID .clarity.ms /__Secure-1PAPISID .google.es / APISID .google.es /__Secure-3PSID .google.es / SSID A .google.es /__Secure-1PSID .google.es / __Secure-3PAPISID .google.com /SAPISID .google.com / SSID .google.com /HSID A .google.com / SID .google.es /__Secure-1PSID .google.com / SIDCC .google.com /SID .google.com / C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/24 __Secure-3PSID .google.com /__Secure-3PAPISID .google.es / MUID 3 .bing.com /__Secure-1PSIDCC .google.com / APISID .google.com /__Secure-3PSIDCC .google.com / SAPISID .google.es /__Secure-1PAPISID .google.com / ANONCHK .c.clarity.ms /CLID .clarity.ms / NID .google.es /SEARCH_E .google.com / MR .c.clarity.ms /ts .creativecdn.com/ _RwBf .bing.com /ACLUSR .bing.com / ACL .bing.com /OIDR .bing.com / SM .c.clarity.ms /BFB .bing.com / BFBUSR .bing.com /SRCHUSR .bing.com / SRCHD .bing.com /_ttp .tiktok.com / 1P_JAR .google.com /AID .google.com / tt_viewer .teads.tv /AEC .google.com / CONSENT .google.com /SOCS .google.com / NID .google.com /OTZ .google.com / u .creativecdn.com /OID .bing.com / OIDI .bing.com /_pinterest_ct_ua .ct.pinterest.com MR .c.bing.com /SRCHHPGUSR .bing.com / SRCHUID .bing.com /SRM_B .c.bing.com / There is a link to the control panel at the bottom of the website <<cookie configuration>> that allows the user to manage the groups of cookies through the control panel. It is observed that now, (after accepting all cookies) groups are pre-checked “ON”. If you wish to reject the use of cookies by clicking on the option <<reject all>> or moving the cursor from the “ON” position to the “OFF” position of the different groups of cookies, and clicking on <<confirm my preferences>>, Note that the website NO longer uses the cookies that were consented, using only the technical or necessary cookies detected at the beginning. D.- About the information provided in the “Cookies Policy: If you access the “Cookies Policy”, through the link in the banner about cookies of the first layer or through the link at the bottom of The main page, the website displays a document: ***URL.7 where information is provided on what cookies are; the different types of cookies that They exist and information is provided on the type of cookies used on the website and their purpose. It also provides information on how to update the terminal equipment's browser to manage cookies. If you want to know the list of cookies that the website says it uses, you must access through the existing links in the control panel (<<Information of the cookies>>), where the list of cookies used by the website and their purpose appear. PROVEN FACTS. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/24 Of the actions carried out in this procedure, it has been accredited the following facts: First: In the verification carried out by this Agency on 03/16/23 on the page ***URL.1 website has verified the following characteristics in its “Cookies Policy”: a).- About the use of non-necessary cookies without the prior consent of user it was verified that, upon entering the main page and without performing any action about them, nor accept the cookies, it has been found that they were used cookies, including two performance cookies (“AKA_A2” and “RT”) that although they appear with the domain “***DOMAIN.1” they are used by Akamai Technologies, Inc. (computing platform for global content delivery of Internet of client companies) to optimize the response time between the visitor and the website. According to the entity Akamai Technologies, Inc. of a (platform that stores the content of the server of a client company (Massimo Dutti) on its own servers) these cookies are necessary because they allow us to count visits and circulation sources in order to improve the performance of the website. According to them, All the information collected by these cookies is aggregated and, therefore, is anonymous. Four cookies have also been detected that could not be classified (ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although the person responsible for the page website (GRUPO MASSIMO DUTTI, S.A) classifies them in the list that appears in the control panel as strictly necessary cookies. When consent is given for the use of cookies through the option existing in the initial banner or through consent given in the panel control <<Accept all>>, it is verified that the following cookies are installed third parties MUID; ts; CONSEND; SOCS; CLID; _ga; _gid; ttp; or; NID; AEC; _pinterest_ct_ua and 1P_JAR. Therefore, it can be considered that the website does not use cookies that are not technical or necessary until the user provides the consent to it. b).- On the cookie information banner existing in the first layer, considered that it did not provide “clear and complete” information on the purposes of the treatment, since it was limited to stating that cookies would be used “to improve site navigation, analyze its use and collaborate with our studies for marketing”, c).- Regarding the withdrawal of consent once given, it was found that it did not exist no mechanism or access to the permanent control panel that would later allow having given consent to withdraw it. Second: In the verification carried out by this Agency on 04/19/23 on the page website ***URL.1, the following characteristics were verified in its “Cookies Policy”: a).- About the use of non-necessary cookies without the prior consent of user it was verified that, upon entering the main page and without performing any action about them, nor accept the cookies, it has been found that they were used C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/24 cookies, including two performance cookies (“AKA_A2” and “RT”) that although they appear with the domain “***DOMAIN.1” they are used by Akamai Technologies, Inc. (computing platform for global content delivery of Internet of client companies) to optimize the response time between the visitor and the website. According to the entity Akamai Technologies, Inc. of a (platform that stores the content of the server of a client company (Massimo Dutti) on its own servers) these cookies are necessary because they allow us to count visits and circulation sources in order to improve the performance of the website. According to them, All the information collected by these cookies is aggregated and, therefore, is anonymous. Four cookies have also been detected that could not be classified (ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although the person responsible for the page website (GRUPO MASSIMO DUTTI, S.A) classifies them in the list that appears in the control panel as strictly necessary cookies. When consent is given for the use of cookies through the option existing in the initial banner or through consent given in the panel control <<Accept all>>, it is verified that the following cookies are installed third parties, whose providers are: Google, Bing.com; Clarity.ms; .teads.tv and creativecdn.com. b).- On the cookie information banner existing in the first layer, You can read the following message: We use our own and third-party cookies for analytical purposes and to show you advertising related to your preferences based on your browsing habits navigation and your profile. You can configure or reject cookies by clicking in “Cookie settings”. You can also accept all cookies by clicking the “Accept all cookies” button. For more information you can visit our c).- Regarding the withdrawal of consent once given, it was found that now there is mechanism or access to the permanent control panel at the bottom of the <<cookie settings>> page that allows access to the control panel for the cookie management. However, if you wish to reject the use of cookies by clicking on the option <<reject all>> or moving the cursor from the “ON” position to the “OFF” and clicking on <<confirm my preferences>>, you can see that the website is still using third-party cookies installed when initially accepted. Third: In the verification carried out by this Agency on 06/06/23 on the page website ***URL.1, it was verified, regarding the deficiencies detected in the cookies that, once consent has been given for the use of cookies through of the existing option in the initial banner or through consent given in the control panel <<Accept all>>, if you wish to withdraw the consent given, There is a link to the control panel at the bottom of the web page <<cookie configuration>> that allows the user to manage the groups of cookies through the control panel. It is observed that now, (after accepting C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/24 all cookies) the groups are pre-marked in the “ON” option and if desired reject the use of cookies by clicking on the option <<reject all>> or moving the course from the “ON” position to the “OFF” position of the different groups of cookies, and clicking on <<confirm my preferences>>, it is observed that the website NO longer uses the cookies that were consented to at the beginning, reusing only the technical or necessary cookies detected at the beginning. FOUNDATIONS OF LAW YO.- Competence: The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection, in accordance with the provisions of art. 43.1, second paragraph, of Law 34/2002, of July 11, on Society Services of Information and Electronic Commerce (LSSI), II.- About the cookie information banner existing in the first layer (page major): In its transparency guidelines, WG29 recommends the use of declarations or privacy notices by levels, that is, they contain the information in layers, of so that the user is permitted to go to those aspects of the statement or notice that are of greater interest to him, thus avoiding information fatigue, and this without prejudice to that all the information is available in a single place or in a complete document that can be easily accessed if the interested party wishes consult it in its entirety. This system may consist of displaying the essential information in a first layer, when the page or application is accessed, and complete it in a second layer through a page that offers more detailed and specific information about cookies. The first layer cookie banner must include a generic identification of the purposes of the cookies that will be used, without it being necessary to identify them. In the case at hand, this Agency has verified the existence of two banners successive ones, whose existence and content have been incorporated into the file: First of all, dated 09/23/22, the informative text of the banner was as follows: “We use our own and third-party cookies for analytical purposes and to show you advertising related to your preferences based on your browsing habits navigation and your profile. You can configure or reject cookies by clicking in “Cookie settings”. You can also accept all cookies by clicking the “Accept all cookies” button. For more information you can visit our Cookies Policy. Cookies policy. Dated 03/16/23, the banner text was as follows: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/24 “By clicking “Accept all cookies”, you agree that cookies are saved to your device to improve site navigation, analyze usage of the same, and collaborate with our marketing studies. <<Policy Cookies>>” Sanctioning procedure initiated when considering that this second banner did not provided “clear and complete” information about the purposes of the treatment, the claimed entity stated that both wordings provided a total equivalence in terms of information on the generic purposes that must be provide in the initial banner, comparing both texts: Text published on 09/23/2022 Text published on 03/16/2023 “…analytical purposes…” “…to improve site navigation, analyze its use…” “...to show you related advertising “...collaborate with our studies to with your preferences based on your marketing habits…” navigation and your profile…” Providing complete information about the purposes of the cookies used in the “Cookie policy” of the website, ***URL.7 Therefore, based on the evidence available, it is considered that the banner of generic information about cookies included on the main page of the website in issue, dated 03/16/23, does not contradict the provisions of article 22.2 of the LSSI, by including a generic identification of the purposes of the cookies that are they will use. III-1 About the withdrawal of consent for the use of cookies once given. Users must be able to withdraw the consent previously granted in any moment. To this end, the publisher must ensure that it provides information to users in their cookie policy on how they can withdraw consent and delete cookies. The user must be able to revoke consent easily. The system that offer to withdraw consent should be as easy as that used when presto. This facility will be considered to exist, for example, when the user has simple and permanent access to the cookie management or configuration system. In the present case, in the verification carried out by this Agency of the website in question, on 03/16/23 that, once consent was given for the use of the cookies that were not technical or necessary, through the existing option in the initial banner or through consent given in the control panel <<Accept C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/24 all>>, it was found that third-party cookies were installed, whose suppliers were. Google, Bing.com; Clarity.ms; .teads.tv and creativecdn.com. However, it was found that there was no mechanism or access to the control panel. control that would later allow the consent given to be withdrawn and reject these cookies that had previously been accepted. This sanctioning procedure has been initiated, and in view of the allegations presented by the claimed party, a check of the website was carried out again with date 04/19/23, in which it was detected that the website had been modified including a mechanism or permanent control panel access at the bottom from the <<cookie settings>> page that allowed access to the control panel for cookie management. However, if you wanted to reject the use of non-technical or necessary cookies allowed in advance, by clicking on the option <<reject all>> or moving the cursor from the “ON” position to the “OFF” and clicking on <<confirm my preferences>>, it was observed that the website was still using the third-party cookies installed when they were initially accepted. After the allegations regarding the proposed resolution, a third verification of the website in question dated 06/06/23, in which it was detected, by this Agency that, once consent has been given for the use of the cookies that are not technical or necessary, if you wish to withdraw consent provided, the website NO longer uses the cookies that were consented, using again only the technical or necessary cookies detected at the beginning, disappearing third party cookies. In this sense, although it is noted that the person responsible for the website has modified the cookie policy adapting it to current regulations, that does not make it disappear the non-compliance that has been proven, since this Agency carried out the first checking the website on 03/16/23. III-2 Typification and qualification of the administrative offense The deficiencies detected in the cookie policy, since the verification carried out on 04/19/23 until the last one, dated 06/06/23 on the website in question, regarding the impossibility of rejecting non-technical or necessary third-party cookies, once given the initial consent, constitutes a violation of the provisions of the article 22.2 of the LSSI, as it establishes that: “Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after they have been provided clear and complete information on its use, in particular on the purposes of data processing, in accordance with the provisions of the Law Organic 15/1999, protection of personal data. Where technically possible and effective, the consent of the recipient to accept the processing of the data may be facilitated through the use of the appropriate settings of the browser or other applications. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/24 The above will not prevent possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary necessary, for the provision of an information society service expressly requested by the recipient.” III-3. Sanction This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. Considering the factors exposed, the value reached by the fine, for the violation of article 22.2, is 5,000 euros (five thousand euros). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency, RESOLVES: FIRST: IMPOSE THE MASSIMO DUTTI GROUP, S.A. with NIE.: A78115201, responsible for the website ***URL.1, for a violation of article 22.2 of the LSSI, classified as “mild” in article 38.4 g), a fine of 5,000 euros (five thousand euros). SECOND: NOTIFY this resolution to GRUPO MASSIMO DUTTI, S.A. Warn the sanctioned person that he must make the sanction imposed effective once the This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN No.: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. Received the notification and once executive, if the date of execution is between the days 1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th of the following or immediately following business month, and if it is between on the 16th and last day of each month, both inclusive, the payment period will be until the 5th of the second following or immediately following business month. In accordance with what C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/24 established in article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended administratively If the interested party expresses his intention to file a contentious appeal. administrative. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious appeal. administrative within a period of two months from the day following notification of the This resolution would end the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es