Fines by the Spanish Data Protection Authority on cookies and the measures to verify customers’ identities.

In April 2022, the Spanish data protection supervisory authority – Agencia Española de Protección de Datos (AEPD) – issued several fines and in this article, we will review four decisions totaling 178,000 euros.

What and why is the AEPD issuing fines?

Unlawful use of cookies and outdated policies

In Decisions 482, 483, and 603, the AEPD issued fines for unlawful processing of personal data, lack of information about the processing of personal data and placement of cookies on data subjects’ terminals without their consent.

In Decision 482 the company was fined for having an outdated Privacy Policy that referred to a repealed law and lacked the information under Art. 13, GDPR. The AEPD also found that non-essential cookies were placed on data subjects’ terminals when they accessed the website without presenting a cookie banner or requiring any interaction from the user, breaching Art. 22.2, Spanish Law 34/2002, on information society services and electronic commerce (LSSI).  Additionally, the website had no information about third-party cookies or a description of the types of cookies in place.

In Decision 483 the AEPD also found an outdated Privacy Policy, a lack of the information in Art. 13, GDPR, and the placement of non-essential cookies without data subjects’ consent. This decision differs from the 482 because, in this case, the company was displaying a cookie banner. However, it did not comply with the GDPR as it only stated the following:

“This website uses own and third-party cookies to offer you a better service. If you continue browsing, we consider that you authorize their use”

According to the AEPD, the banner lacked: a) Mention of the person responsible for the website; b) Description of the cookies used in the website and their purpose; c) Description of categories of personal data when profiles were created; and d) Buttons or settings to accept, reject or customize cookies.

Additionally, the authority found that the website lacked a policy informing about third-party cookies, the time that cookies remained in users’ terminals and the type of cookies used.

In Decision 603, the AEDP fined the company for the same breaches already mentioned in Decision 482. However, the authority also found that a form within the website used by customers to place orders lacked a tick-box or other means to enable data subjects to provide a clear affirmative action of having agreed to the processing of their personal data.

Identity verification

Decision 476 involves a complaint against an electricity service provider for having modified a contract without the customer’s consent, which resulted in an increase in the electricity supply. During the investigation, the authority determined that the amendment to the contract was the result of a request from an individual impersonating the customer.

The company claimed to have acted in strict accordance with the established protocol for contractual amendments. However, the security protocol was based on data that may be known by third parties such as ID number, name and surname, telephone number and address. As a result, the AEPD concluded that the electricity provider’s protocol lacked an appropriate security level to ensure the processing of personal data as per Art.32, GDPR resulting in a contractual amendment without the data subject’s consent.

Lessons learned from the AEPD fines

Cookie banners. Controllers using non-essential cookies must gather data subjects’ consent. The consent should be a freely given, specific, informed and unambiguous affirmative action by data subjects. For consent to be informed regarding cookies, controllers must provide details about their trackers by means such as cookie banners and policies. The AEDP recommends displaying buttons enabling data subjects to accept, reject or customize cookies with the same level of ease.

Web forms. Forms in websites should be designed in a way that enables data subjects to provide an affirmative action to consent to the processing of their personal data. The AEPD recommends including the URL of the Privacy Policy in the forms.

Cookies interaction. Non-essential cookies should not be placed on data subjects’ terminals without their consent. In addition, they should not be triggered based on users’ interactions with the website (e.g., scrolling or mouse movement).

Transparency. Web notices (e.g., Privacy Notice, Privacy Policy, Cookie Policy) must be accurate, up to date and provide the information referred to in Art. 13, GDPR.

Customer verification. The obligation of controllers and processors to implement appropriate technical and organizational measures should be reflected in procedures such as the verification of customers‘ identities. The measures should take into consideration the state of the art, costs of implementation, and nature, scope, context, and purposes of the processing.