Social media faces a privacy related fine for unlawful processing of data through cookies in Spain

The modalities of collection of individuals’ consent and processing of personal data through cookies performed by a well-known social media was challenged by the Spanish authority that issued a privacy related fine against the company.

The privacy-related fine against the social media for cookies

The Agencia Española de Protección de Datos (“AEPD“), the Spanish data protection authority, imposed a fine of € 30,000 on the social media for handling cookies installed on the devices of over 4 million registered users in Spain, in violation of local data protection rules on the use of cookies.

The case in question is based on a report received in 2018 by the privacy authority, which reported the illegal management of cookies on the well-known social media. As a result of these findings, the authority had therefore initiated an inspection procedure between 2018 and 2019, the results of which confirmed the alleged infringements. In particular, it first appeared that the social media was automatically storing on users’ devices cookies that were not strictly necessary, including some unknown cookies and others for advertising purposes. Besides, the cookie banner that automatically appeared on the platform at the time of access, although it specified the type of cookies used, in the opinion of the data processing authority

• did not allow the user to refuse cookies other than those strictly necessary,
• did not redirect to an additional control panel for their management and configuration, and
• did not contain any link to the extended policy (i.e., cookie policy).

Furthermore, on the last point, the AEPD found that the cookies policy was accessible only through a link included in the footer of the home page. Also, although the social media indicated the nature and purposes of the processing of personal data collected through cookies and other tracking technologies, only a generic reference to the possibility for the user to manage cookies through browsers was provided, without including or directly setting up any actual method of refusal or granular selection of the same.

Therefore, in light of all the above, the AEPD imposed a fine of € 30,000 on the social media. This amount was calculated in consideration of specific criteria, explained in the authority’s decision, relating to:

1. the company’s negligence in fulfilling its obligations under the applicable legislation;
2. the prolonged period of time during which the infringement lasted;
3. the nature and amount of the damage caused by the large volume of users affected by the breach;
4. the profits obtained from the violation, also taking into account the volume of users involved; and
5. the turnover affected by the infringement committed.

Time to review your cookies policy

There is no doubt that the processing of personal data through cookies was one of the hottest privacy-related topics during the last months. Based on my experience, data protection authorities often start from cookies policies and website privacy information notices in reviewing the data protection law compliance of a company right before a dawn raid. The reason is just that they are the most visible evidence of a potential lack of compliance. 

Now that hopefully the lockdown measures have been terminated in most of the jurisdictions after the peak of the Covid-19 emergency, it is likely that privacy authorities will re-start their investigations and dawn raids. And the pandemic outbreak cannot be a long term excuse for lack of compliance.

On this topic, you may find interesting the article “Top 5 immediate actions to get ready for Italian privacy dawn raids“.

Image Credit Paul Inkles