AEPD (Spain) - EXP202309359
AEPD - EXP202309359 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico |
Type: | Complaint |
Outcome: | Upheld |
Started: | 18.12.2023 |
Decided: | |
Published: | 22.03.2024 |
Fine: | 5,000 EUR |
Parties: | Motorsport Network España |
National Case Number/Name: | EXP202309359 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA found that a ‘pay or okay’ cookie banner violated the Spanish e-Privacy Law and imposed a €5,000 fine.
English Summary
Facts
On 22 May 2023, a data subject filed a complaint with the AEPD against Motorsport Network España (the controller). The complaint alleged that the controller’s webpage used a ‘pay or okay’ scheme in its cookie banner, requiring data subjects to either consent to cookies and use the page or free, or to subscribe for a fee in order to reject any cookies.
In its investigation, the AEPD noted that upon entering the webpage for the first time, the controller utilised non-technical cookies, which require consent under the ePrivacy Directive, without the prior consent of the user.
After the cookies were already applied, the controller prompted data subjects with a cookie banner that provided two options in its first layers. First, the user could accept the cookies and use the webpage for free. In this case, the webpage continued to use the same cookies that it had utilised prior to the consent being prompted or given. Second, the user could select a box marked ‘Demonstrate the Options’, which brought users to a second banner that showed all cookie use marked as ‘off’ except for analytics cookies, which were marked as ‘on’. Additional details about each type of cookie could be obtained, but only in English. If a data subject wished to reject all of the cookies by clicking the ‘Confirm my preferences’ button (without manually adjusting any of the settings, including the default ‘on’ setting for analytics cookies), the webpage would continue using the cookies that it utilised prior to requesting consent. A new pop-up would then appear prompting data subjects to either become subscribers for a monthly fee and access the webpage without advertising, or to accept all of the cookies.
The AEPD also considered the options for users to withdraw consent. The controller provided such options in a ‘Manage Preferences’ link at the bottom of the webpage. Therein, data subjects could access the cookie control panel and manually switch each cookie from ‘on’ to ‘off’. Nonetheless, when they hit confirm preferences, they were faced with the same option to either accept all cookies or to begin a paid subscription.
On 18 December 2023, the AEPD initiated sanctioning proceedings against the controller.
Holding
The AEPD found that the controller’s use of non-technical cookies without consent, the inability to reject consent in a granular manner and the impossibility of withdrawing consent violated Article 22(2) LSSI. These practices did not enable the data subject to give adequate consent and thus could not provide a legal basis for using cookies pursuant to the national law.
The AEPD considered this a slight infraction pursuant to Article 38(4) LSSI and imposed a €5,000 fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No.: EXP202309359 (PS/00507/2023) RESOLUTION OF THE SANCTIONING PROCEDURE BACKGROUND FIRST: On 05/22/23, Mr. A.A.A. (hereinafter, the complaining party) filed claim before the Spanish Data Protection Agency. The claim is directed against the entity MOTORSPORT NETWORK ESPAÑA, S.L. with CIF.: B87730164, owner of the website: https://es.motorsport.com (hereinafter, the part claimed), for the alleged violation of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI). The grounds on which the claim was based were that this company uses a form illegal cookie consent on its website where it requires you to accept the cookies to access the content for free or to subscribe for payment if You do not want cookies to be installed. SECOND: On 07/07/23, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), this Agency reported said claim to the claimed party, so that it could proceed with its analysis and report, in the period of one month, over what was stated in the statement of claim. The transfer was carried out in accordance with the rules established in Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (LPACAP) and according to the certificate of the Electronic Notifications and Address Service Electronic, was sent to the claimed party on 07/07/23 through the electronic notifications, “NOTIFIC@”, being expired due to expiration, upon exceeding the deadline established for the appearance, 07/18/23. Although the transfer was validly carried out by electronic means, it was considered Once the procedure was carried out in accordance with the provisions of article 41.5 of the LPACAP, the a copy by postal mail, dated 07/18/23, to the address indicated in the Registry Mercantil Central, as corporate address: ***ADDRESS.1, being returned to its destination on 08/03/23, with the message “unknown”, as stated in the acknowledgment of receipt that work in the file. THIRD: On 08/22/23, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. FOURTH: On 11/13/23, the Inspection Subdirectorate of the Spanish Agency of Data Protection carried out the following diligence, regarding the “Policy of Data Cookies” of the website in question: a).- About the cookies used before the user provides the consent: When entering the website https://es.motorsport.com/ for the first time, after having cleared the computer's browser cache and installed cookies, and after having C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/14 forced the browser to download the latest version of the web page hosted on the remote server, it is verified how it uses the following cookies without the prior consent of the user: - Cookies of a technical nature: cookies Domain Description INGRESSCO Records which server cluster is OKIE bh.context serving the visitor. This is used in web.com context with load balancing, for Optimize user experience. This cookie is associated with sites that they use Google Tag Manager to upload _dc_gtm_UA- . other scripts and codes in one 5127509-1 motorsper page. When used, it can t.com be considered strictly necessary and which, without it, other scripts may not work correctly. Cookie generated by applications based in the PHP language. This is a general identifier used to maintain session variables PHPSESSID en.motors user. It is usually a number randomly generated port.com, the way used may be site specific, but A good example is maintaining the state of login of a user between pages. __cf_bm .script.ac Used to distinguish between humans and robot. This cookie is set by the solution cookie compliance Optanon. OneTrust. Stores information about Motor consent by categories of cookies used by the site and to t.com if visitors have given or withdrawn their consent for the use of each category. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/14 - Performance cookies: They allow you to quantify the number of visits and sources of traffic to be able to evaluate the performance of the site and serve to know what pages are the most visited and how visitors navigate the place: cookies Domain Description Located on a site that uses the time analysis platform _chartbeat2 .motorsport.com real Chartbeat. Is used for distinguish between new visitors and recurring. - Cookies detected from Google Analytics: cookies Domain Description _gid .motorsport.com This cookie is set by Google Analytics. Store and updates a single value for each page visited and used to count and perform a follow-up of the pages viewed. _ga .motorsport.com This cookie is associated with Google Analytics, and used to distinguish users unique by assigning a number randomly generated as identifier customer. It is included in each site page request and is used to calculate the visitor data, sessions and reporting campaigns site analytics. _ga_ .motorsport.com Google Analytics uses this PVMXPYS8TW cookie to preserve the session status. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/14 - Targeting or advertising cookies: specifically designed to collect information on viewing the pages visited and being able to send advertising based on relevant topics that interest the user: cookies Domain Description demdexMore .demdex.net This cookie allows Adobe Audience Manger to perform basic functions like visitor identification, ID synchronization, segmentation, modeling, reporting, etc. dpmMore .dpm.demdex.net Adobe Audience Manager uses this cookie to register information about the ID synchronization. _fbp .motorsport.com Used by Meta to offer a series of products advertising, such as offers on real time advertisers external. chaos .rubiconproject.com This cookie performs information about how the end user use the website and any advertising that the end user have seen before visiting said website. uuid2 .adnxs.com This cookie allows advertising directed through the platform AppNexus – Collect data anonymous about views of ads, IP addresses, visits to pages and more. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/14 - Functionality cookies: allow the website to remember elections what you do (such as your username, your language, or the area you are in) find), and offer better, more personalized features. cookies Domain Description _cb_svref .motorsport.com This is a cookie owned by Microsoft MSN used to measure website usage for statistical analysis internal. - Cookies whose purpose could not be identified: cookies Domain Description adblfree .motorsport.com opt_out .postrelease.com Third party ms_touch .motorsport.com .motorsport.com sessions 30daysExpires _cb .motorsport.com ktcid .kargo.com Third party pageviewSession .motorsport.com C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/14 cookies Domain Description FPLC .motorsport.com _pbjs_userid_consent_dat .motorsport.com to _pc_PianoABtestv2 .motorsport.com __browsiSessionID .motorsport.com ucountry.motorsport.com Sessions7days.motorsport.com abtestv2 .motorsport.com Sessions7daysExpires .motorsport.com ntvSession .motorsport.com FPID .motorsport.com C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/14 cookies Domain Description CONSUMABLEID .serverbid.com Third Party KCCHMore .ads.pubmatic.com Third Party HAPLB8G .go.sonobi.com Third party _pc_20ABtestv2 .motorsport.com Sessions30days.motorsport.com __browsiUID .motorsport.com audit .rubiconproject.com Third party b).- About the cookie information banner existing in the first layer (Homepage): When entering the website for the first time, an information banner about cookies appears with the following message: We care about your privacy. We and our 464 partners store or access information of the device, such as unique identifiers in cookies to process data personal. You can accept or manage your preferences by clicking below, including the right to object based on your legitimate interest or, in any moment, through the privacy policy page. Your preferences are They will notify our partners and will not affect browsing data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/14 We and our partners process data to provide: Use precise geographic location data. actively analyze the device characteristics for identification. Understanding the public through of statistics or through the combination of data from different sources. Store or access device information. measure the content performance. Use of limited data for the purpose of selecting the content. Development and improvement of services. Limited data usage with objective of selecting advertising. Using profiles for content selection personalized. Create profiles for personalized advertising. Measure the performance of advertising. Use profiles to select personalized advertising. Create profiles to personalize content. <<List of Suppliers>> <<Show the Purposes>><<I accept>> If you choose to accept all cookies by clicking on the <<Accept>> option, you will check how the website continues to use the cookies detected at the beginning of the visit, before giving consent. If you click on the <<Show Purposes>> option, the website displays a panel of control where cookie groups are pre-marked “OFF”, except the group of cookies with the title “Analytics” which are pre-marked in “ON” option. If the information of this group of cookies is displayed by clicking on (+) in the title of the “Analytics” group, information about the purpose of these cookies appears in the language English, (whose translation is): “The collection of information about your use of the content, and its combination with previously collected information, is used to measure, understand and inform about your use of the service. This does not include Personalization, collecting information about your use of this service to personalize subsequently the content and/or advertising to you in other contexts, it is That is, on other services, such as websites or applications, over time. If you want to see the list of providers, click on Your privacy and View the consent of the provider. If you wish to reject all cookies, clicking on the option <Confirm my preferences> without moving any cursor of the cookie groups, from the position “OFF” to the “ON” position and moved the cursor of the “Analytics” cookie group of the position “ON” to the “OFF” position, it is checked how the website continues using the cookies detected at the beginning of navigation. Once the preferences are confirmed, (without having given consent for the use of cookies) the website displays a new information banner: Become a member and access the website without advertising or accept cookies C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/14 We report from the Formula 1 and MotoGP paddocks because, like you, we love our sport. To do our job, our website uses cookies. Among other things, this Optimize your sleep experience and adjust ads to your interests. Without However, we want to give you the opportunity to enjoy our website without ads. You have two options: 1. Become a member for a small monthly fee, without cookies, but with a better website experience and more benefits-/2. Accept cookies and enjoy our content for free. <<BECOME A MEMBER>> <<ALLOW COOKIES>> <<Are you already a member? Connect here>> In this new banner it is verified that there are only two possibilities if you want to continue browsing the website, or you previously accept all cookies by clicking on the <<Allow Cookies>> option or you must become a member for a fee monthly, where, according to the information provided, they assure that they will not install cookies. c).- About the information provided in the second layer (Privacy Policy). Cookies): If you access the “Cookie Policy” through the link at the bottom from the main page, the website redirects the user to a new page, https://es.motorsport.com/info/cookie-policy/ where information is provided about: what are cookies; What is the purpose of the information collected through cookies, what type of cookies exist and how cookies can be managed through the browsers installed on the terminal equipment. d).- Regarding the possibility of modifying the consent once given in relationship with cookies. If the user has given initial consent for the website to use cookies that are not technical or necessary and you want to modify said consent, there is the possibility of accessing the cookie control panel through the link <<Manage Preferences>> existing at the bottom of the web page you are visiting, to through which the cookie control panel appears, where the groups of Cookies are now marked “ON.” If you wish to withdraw consent, you must move the cursors of the groups of cookies from the “ON” position to the “OFF” position and click on <<Confirm my preferences>>. However, if this process is carried out, the website displays the information banner where it only allows the option to “accept all the cookies” or “become a member of the club” by paying a monthly fee. FIFTH: On 12/18/23, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against the entity, MOTORSPORT NETWORK ESPAÑA, S.L. with CIF.: B87730164, owner of the website: https://es.motorsport.com/, in accordance with the provisions of articles 63 and 64 of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/14 Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (LPACAP), for the alleged violation of article 22.2 of the LSSI, classified as “mild” in article 38.4.g) of the aforementioned standard, regarding the “Cookie Policy” of said page. In the opening agreement it was determined that the sanction that could apply, taking into account the evidence existing at that time and without prejudice to what may result of the instruction would amount to a total of 5,000 euros (five thousand euros). The notification of the agreement to open the file was carried out in accordance with the standards established in Law 39/2015, of October 1, on the Procedure Common Administrative Administration of Public Administrations (LPACAP). According to Certificate of the Correos y Telégrafos State Company, S.A., the document initiating file sent to the corporate address, ***ADDRESS.1, was returned to its destination on 08/03/23, with the message “unknown”, as stated in the acknowledgment of receipt that work in the file., according to the Central Commercial Registry, it was returned to its origin by “unknown” on 01/10/24. On 01/16/24, notification of the initiation agreement was made through an announcement in the single Edictal Board of the Official State Gazette, in accordance with article 44 of the LPACAP. In said announcement the claimed party is informed about the possibility of obtain a copy of the opening agreement. SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been verified that no allegation has been received from the party claimed in this Agency. Article 64.2.f) of the LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period regarding the content of the initiation agreement, when This contains a precise statement about the imputed responsibility, may be considered a proposal for a resolution. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the violation of the LSSI attributed to the defendant and the sanction that could be impose Therefore, taking into consideration that the claimed party has not made allegations to the agreement to initiate the file and in response to what established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the present case proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS Unique: In the verification carried out and completed by this Agency on 11/13/23, in the website https://es.motorsport.com/, the following deficiencies could be verified in its "Cookies policy": C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/14 - It was found that cookies were used that were not of a technical or necessary without the user's consent: o Performance cookies: _chartbeat2 o Google Analytics Cookies (performance): _gid; _ga; _ga_PVMXPYS8TW. o Targeting or advertising cookies: demdexMás; dpmMore; _fbp; chaos; uuid2; o Functionality cookies: _cb_svref; o Cookies whose purpose could not be identified: adblfree; opt_out (.postrelease.com.- third party); ms_touch; _cb; ktcid; (.kargo.com third party); FPLC; _pbjs_userid_consent_data; _pc_PianoABtestv2; __browsiSessionID; ucountry; abtestv2; ntvSession; FPID; CONSUMABLEID (.serverbid.com.- third party); KCCHMás (.ads.pubmatic.com.- third party); HAPLB8G (.go.sonobi.com.- third party); _pc_20ABtestv2; __browsiUID; Audit (.rubiconproject.com.- third party) - It was verified that there is no possibility for the user to reject the use of cookies that are not of a technical nature since in the case of all cookies are rejected in the control panel, the website returns to display a new banner where there is only the possibility of accepting all cookies or, where applicable, register on the website in exchange for a fee monthly and where it is insured, according to the information provided in said banner, that cookies will not be installed. - The impossibility of withdrawing consent once given was confirmed. FOUNDATIONS OF LAW Yo Competence. In accordance with the provisions of article 43.1 of the LSSI and the provisions of the articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." The fourth additional provision "Procedure in relation to powers attributed to the Spanish Data Protection Agency by other laws" establishes that: "The provisions of Title VIII and its implementing regulations will apply to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/14 the procedures that the Spanish Data Protection Agency would have to process in the exercise of the powers attributed to it by other laws." II Classification of the offense committed The deficiencies detected, regarding the cookie policy, on the website https://es.motorsport.com, that is, the use of cookies that are not of a nature technique without the user's consent; the impossibility of rejecting them or being able manage them in a granular way and the impossibility of withdrawing consent once provided, they represent the commission of the violation of article 22.2 of the LSSI, since establishes: “Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after they have been provided clear and complete information on its use, in particular on the purposes of data processing, in accordance with the provisions of the LO 15/1999, of December 13, on the protection of personal data. Where technically possible and effective, the consent of the recipient to accept the processing of the data may be facilitated through the use of the appropriate settings of the browser or other applications. The above will not prevent possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary necessary, for the provision of an information society service expressly requested by the recipient.” III Sanction This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. The LSSI, in its article 40, establishes the “graduation of the amount of sanctions”, taking into account the following criteria: a) The existence of intentionality. b) Period of time during which the infraction has been committed. c) Recidivism due to the commission of infractions of the same nature, when so it has been declared by final resolution. d) The nature and amount of the damages caused. e) The benefits obtained from the infringement. f) Billing volume affected by the infraction committed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/14 g) Adherence to a code of conduct or a self-regulation system applicable advertising regarding the infringement committed, which complies with the provided in article 18 or in the eighth final provision and that has been favorably informed by the competent body or bodies. After the evidence obtained, it is considered appropriate to graduate the sanction to be imposed. in accordance with the following aggravating criterion, established by art. 40 of the LSSI: - The existence of intentionality (section a). Expression that must be interpreted as equivalent to the degree of guilt according to the Judgment of the National Court of 11/12/07 falling in Appeal no. 351/2006, corresponding to the reported entity the determination of a system for obtaining informed consent that is appropriate to the mandate of the LSSI. In accordance with these criteria, it is considered appropriate to impose, for the violation of the article 22.2 of the LSSI, regarding the cookie policy made on the website of its ownership, a fine of 5,000 euros (five thousand euros). Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, RESOLVES: FIRST: IMPOSE the entity MOTORSPORT NETWORK ESPAÑA, S.L. with CIF.: B87730164, owner of the website: https://es.motorsport.com/, for the violation of article 22.2 of the LSSI, typified in art. 38.4.g) of the aforementioned standard, a fine of 5,000 euros (five thousand euros). SECOND: NOTIFY the resolution to MOTORSPORT NETWORK ESPAÑA S.L. THIRD: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN No.: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once executive, if the Execution date is between the 1st and 15th of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th of the month next or immediately following business day, and if it is between the 16th and last day of each month, both inclusive, the payment term will be until the 5th of the second month following or immediate subsequent business. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/14 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious appeal. administrative within a period of two months from the day following notification of the This resolution would end the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es