GDPR, Cookies and Sanctions
By Roxana Barica
Some of the fines sanctioning websites not cookies-compliant throughout the European Union
As a general rule, since the entry into force of the GDPR and from an enforcement perspective, the obligations on cookies depend on the type of cookie, such as:
- strictly necessary cookies: these cookies are essential to use the website and its features, such as accessing secure areas of the site (e.g. cookies that allow web shops to hold your chosen items in your shopping cart while you are purchasing online). For strictly necessary cookies, the website owner is obliged to inform the visitor of their existence and function but does not have to obtain explicit consent.
- all other cookies (e.g. cookies that allow a website to remember the choices you have made in the past on preferred language, your user name and password). Cookies that are not strictly necessary to use the website can only be placed on a website when a visitor has given his express consent for the use thereof.
What decided and also significantly sanctioned BDPA was that most analytical cookies, i.e. cookies that are used to monitor the activities of the visitors on the website and to improve access and user experience, are not strictly necessary and therefore need explicit consent insofar as they are exclusively beneficial to the website and not to the visitor.
SPAIN: At the end of October 2019, the Spanish Supervisory Authority Agencia Española Protección Datos (“Supervisory Authority“) has issued a fine against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.
The Supervisory Authority based its decision on the following arguments:
- the consent to transfer data to third parties via the cookies can only be provided implicitly, as the user is not provided with an option to (i) reject the installation of such cookies, or (ii) refuse or withdraw consent to the use of such cookies, except as provided through the browser settings.
- the configuration does not provide a cookie management system or configuration panel that would enable to reject the cookies in a granular way.
The Supervisory Authority issued a fine of EUR 30,000 (which is the maximum possible fine under the Spanish Act of the Services of the Information Society and Electronic Commerce). This, however, was reduced to a total of EUR 18,000 as the law provides for a reduction in cases in which the fined company accepts/acknowledges that they are responsible for the violation within the term provided to formulate their response (here 20%) as well as an additional reduction if the company pays the set fine before the proceedings resolution (here 20%).