Spanish Data Protection Agency fines Twitter over Cookies
Breach of Spanish Information Society and Electronic Commerce Act
The Spanish Data Protection Agency has announced its decision of 3 March 2020, in which it resolved to fine Twitter International Company EUR 30,000 for an infringement of Article 22.2 of Spanish Information Society and Electronic Commerce Act 34/2002, of 11 July, in relation to cookies.
INTRODUCTION
On 9 June 2020 the Spanish Data Protection Agency (Agencia Española de Protección de Datos, "AEPD") announced its decision of 3 March 2020, in which it resolved to fine TWITTER INTERNATIONAL COMPANY ("Twitter") EUR 30,000 for an infringement of Article 22.2 of Spanish Information Society and Electronic Commerce Act 34/2002, of 11 July (the "Spanish Internet Act"), in relation to cookies. While the sanction is imposed on the international corporation, its Spanish subsidiary is identified in parenthesis. The decision does not include further reasoning with respect to Spanish data protection jurisdiction under Article 56 GDPR.
The sanctioning procedure was initiated after a complaint was received from an individual in relation to the company's use of cookies on its website www.twitter.com. In the course of the investigation, the AEPD found the following deficiencies:
- Non-necessary cookies were automatically downloaded. Specifically, the decision noted that simply by visiting the website, and without any type of notification, non-exempt cookies were downloaded.
- the banner included on the website did not contain a message or link allowing users to "reject" the cookies or redirecting users to a second layer where they could configure their cookie settings. It merely indicated "If you continue browsing, you accept the use of cookies", but no information was given on how to reject cookies or how to configure them at a granular level.
- the cookie policy accessible using a link at the bottom of the webpage indicated how to configure cookie settings on the various browsers, but did not allow users to simply reject cookies or configure them at a granular level. In the AEPD's opinion, the foregoing facts constituted an infringement of the provisions of Article 22.2 of the Spanish Internet Act.
The AEPD took the following circumstances into account in setting the amount of the fine:
- the existence of intention, interpreted as equivalent to a degree of guilt, it falling to the company, therefore, to establish a system to obtain informed consent compliant with the mandate of the Spanish Internet Act;
- the period during which the company had committed the infringement, the complaint having been made in May 2018;
- the nature and amount of damage caused, in relation to the volume of users affected by the infringement, given that the reported company currently has over 4 million profiles registered in Spain;
- the profit gained as a result of the infringement, in relation to the volume of users affected thereby; and
- the turnover affected by the infringement committed.
The AEPD sanctioned Twitter with an administrative fine amounting to EUR 30,000, together with the obligation to take any corrective measures necessary to comply with the provisions of Article 22.2 of the Spanish Internet Act. In relation to this latter obligation, it should be noted that the AEPD made express reference to the Guide on the use of cookies that it published in November 2019 and that is available here in English.
AEPD COOKIE GUIDE
The Guide contains practical guidelines on how to meet the requirements of Article 22.2 of the Spanish Internet Act, indicating that, with the exception of so-called exempt cookies, before any cookies are downloaded (i) users must be informed and (ii) their consent must be obtained.
TRANSPARENCY
The Guide lists the disclosures to users that are considered essential, clarifying that such disclosures must be communicated in a concise, transparent and intelligible manner, using clear and simple language.
The Guide also establishes that the information may be provided using a layered approach, where the essential information is provided on the first layer, upon visiting the website or application, and the other, more detailed and cookiespecific information is provided on a second-layer page.
The disclosures that must be included in the first layer are as follows:
- identity of the website's publisher;
- identification of the purposes for which the cookies will be used;
- whether the cookies are first or third party;
- general information on the type of data that will be collected and used if user profiles are created;
- the way in which the user can accept, configure and reject the use of cookies, with the notification, if necessary, that certain actions will be understood as acceptance by the user of use of the cookies;
- a clearly visible link to a second layer including more detailed information.
CONSENT
The second requirement for the use of non-exempt cookies is to obtain user consent. Consent may be obtained (i) in an express manner, such as by clicking a box that reads "consent", "accept" or similar; or (ii) through an unequivocal action on the part of the user, provided that the user has been provided clear and accessible information as to the purposes for which the cookies will be used and whether they will be used by the publisher, by third parties or by both. Inactivity on the user's part cannot be considered a provision of consent by that user under any circumstances.
In relation to the second modality of consent, the Guide clarifies that for a "continue browsing" option in the banner or first layer to be considered valid consent, the informative notification must be included in a clearly visible place and in such a way that its colour, size or location can ensure that the user does not fail to notice it. The user must also perform an action that can be considered clearly affirmative, for which the Guide provides the example of browsing to a separate section of the website (but not the second layer with information on cookies or the privacy policy), moving the sidebar down, closing the first-layer notification or clicking on content in the website. Merely staying on the website, moving the mouse or pressing a key on the keyboard cannot be considered acceptance.