The Spanish Data Protection Agency (SDPA) recently fined two small to medium size companies (SMEs) for non-compliance of the relevant duties on ‘cookies’ requirements, in the amounts of €3,000 and €500 respectively. In particular, as further described below, said fines arise from the infringement of the obligations laid down under article 22.2 of the Spanish E-Commerce Act (LSSI). These companies included information storage devices or cookies on their websites, but the information provided to users on cookies use and purposes, or the reference thereof, was confusing. Consequently, the consumers´ consent, as understood by the SDPA, was not provided under the conditions legally required.
As a reminder, the Directive 2002/58/EC, known as the Directive on privacy and electronic communications, was implemented in Spain in 2002 by Royal Decree-Law 13/2012 of March 31, 2012 amending in turn the Spanish E-Commerce Act. In particular, the new requirements are set forth in article 22.2 (clear and complete information, definition of purposes, consent, etc. in accordance with the provisions of the Spanish Data Protection Act 15/1999 (DPA)). In an attempt to clarify the effective implementation of the legislation on cookies, the SDPA in collaboration with the industry associations Adigital (e-commerce association), Autocontrol (self-control advertising association) and IAB Spain, published the first guide on cookies; indeed the first of this type within the EU. This guide refers, among others, to the duties on information, consent and practical implementation, including examples.
In the SDPA’s view under the aforementioned fining resolutions, the information referring to cookies provided on these websites did not fulfil the legal requirements for users’ valid consent. More precisely, these companies did not define the type of ‘cookies’ used, identify whether they were of their own or third-party ones or the intended purposes thereof. These infringements were qualified by the SDPA as of minor nature (as set forth by article 38.4.g of the Spanish E-Commerce Act), implying a maximum fine of €30,000. However, since there was no intention by the infringing companies to obtain any benefit from the breach, the DPA by applying the principle of proportionality, finally reduced the relevant amount to €3,000 and €500, as previously explained. In addition, one of the companies was fined with further €1,500 for breach of articles 5.1 and 2 of the DPA on information duties.
The referred sanctions on ‘cookies’ arise after a long silence by the SDPA in this specific area. Further, it has been highly criticised that the first fines (after the implementation of this legislation) were against SMEs. Nevertheless, the relevant aspect of the sanctions is not the amount or the type of companies affected, but the fact that the DPA has already started to fine for nonconformity, which should be taken as a clear warning for the market.
Norman Heckh is a Partner at Ramón y Cajal Abogados. He can be contacted at email@example.com