Spain has joined in on the fines for cookie violations. As we covered there have been hundreds of millions of dollars in fines for hospital groups, tech companies, and consumer businesses that have ulawfully placed cookies and tracked users around the internet without their permission.
Just less than a month again on November 5, 2024, the Spanish Data Protection Authority (AEPD) issued a decision in Proceeding No. PS/00284/2024, imposing a fine of €20,000, later reduced to €12,000, on SEAT SA for non-compliance with the Law on Information Society Services and Electronic Commerce (LSSI). The penalty highlighted the ongoing regulatory focus on ensuring adherence to cookie laws and transparency requirements.
Background of the Case
The AEPD initiated its investigation by conducting a series of checks on SEAT’s website. It found that certain cookies were placed automatically at the start of a user’s session without obtaining prior consent, a violation of the LSSI. The cookies identified included:
- Technical or necessary cookies, essential for distributing website traffic, storing cookie-related data, and logging user decisions.
- Functionality or preference cookies, which customize user experience by remembering preferences.
The issue lay in the deployment of these cookies prior to user consent, breaching fundamental principles of transparency and informed consent outlined in both the LSSI and the General Data Protection Regulation (GDPR).
Broader Context: Similar Fines in Spain
This case is part of a broader trend in Spain, where companies have faced increasing scrutiny and penalties for improper cookie practices. In a notable example, the AEPD fined Vueling Airlines €30,000 in 2019 for failing to provide users with an option to refuse non-essential cookies while navigating its website. Similarly, in 2023, another fine of €60,000 was imposed on a Spanish online retailer for deploying tracking cookies without obtaining explicit user permission.
These cases emphasize a recurring issue: companies are often failing to balance their operational needs with user privacy rights, particularly regarding cookie consent frameworks.
Relation to GDPR Enforcement Across Europe
The issues highlighted in SEAT’s case resonate with similar GDPR violations across the European Union. Under GDPR, consent for cookies must be specific, informed, freely given, and unambiguous. Automatic deployment of cookies without prior action by the user directly contravenes this principle. For example:
- In 2021, Google and Amazon faced fines of €100 million and €35 million, respectively, in France for cookie violations, as their websites placed tracking cookies without proper consent mechanisms.
- Similarly, in Germany, Deutsche Telekom was fined €900,000 for failing to provide clear and accessible cookie settings.
Challenges with Cookie Tracking and Consent
The SEAT case reflects a larger industry struggle with balancing data collection needs and user privacy. Common issues include:
- Insufficient Consent Mechanisms: Many websites continue to use pre-checked boxes or vague consent banners, violating GDPR requirements for clear and explicit user consent.
- Dark Patterns in Consent Design: Some sites make it difficult for users to opt out of cookies, leading to unintentional consent.
- Failure to Distinguish Cookie Types: Not separating essential cookies (necessary for website functionality) from non-essential cookies (such as tracking or marketing cookies) contributes to compliance failures.
What the AEPD Action Means For Your Business?
The AEPD’s action against SEAT SA serves as a reminder to organizations not only across Spain and the EU but even in Asia and the Americas that you need to prioritize compliance with cookie regulations otherwise expect to pay a fine or deal with a lawsuit like the CIPA suits by Swigart Law. Companies must ensure their cookie banners are transparent and user-friendly, providing clear distinctions between essential and non-essential cookies and enabling users to make informed decisions. With regulatory authorities intensifying their enforcement, businesses must act proactively to avoid hefty fines and reputational damage.
