Spanish Data Protection Agency fines Twitter over Cookies
Breach of Spanish Information Society and Electronic Commerce Act
01 July 2020
The Spanish Data Protection Agency has announced its decision of 3 March 2020, in which it resolved to fine Twitter International Company EUR 30,000 for an infringement of Article 22.2 of Spanish Information Society and Electronic Commerce Act 34/2002, of 11 July, in relation to cookies.
On 9 June 2020 the Spanish Data Protection Agency (Agencia Española de Protección de Datos, "AEPD") announced its decision of 3 March 2020, in which it resolved to fine TWITTER INTERNATIONAL COMPANY ("Twitter") EUR 30,000 for an infringement of Article 22.2 of Spanish Information Society and Electronic Commerce Act 34/2002, of 11 July (the "Spanish Internet Act"), in relation to cookies. While the sanction is imposed on the international corporation, its Spanish subsidiary is identified in parenthesis. The decision does not include further reasoning with respect to Spanish data protection jurisdiction under Article 56 GDPR.
- Non-necessary cookies were automatically downloaded. Specifically, the decision noted that simply by visiting the website, and without any type of notification, non-exempt cookies were downloaded.
The AEPD took the following circumstances into account in setting the amount of the fine:
- the existence of intention, interpreted as equivalent to a degree of guilt, it falling to the company, therefore, to establish a system to obtain informed consent compliant with the mandate of the Spanish Internet Act;
- the period during which the company had committed the infringement, the complaint having been made in May 2018;
- the nature and amount of damage caused, in relation to the volume of users affected by the infringement, given that the reported company currently has over 4 million profiles registered in Spain;
- the profit gained as a result of the infringement, in relation to the volume of users affected thereby; and
- the turnover affected by the infringement committed.
AEPD COOKIE GUIDE
The Guide contains practical guidelines on how to meet the requirements of Article 22.2 of the Spanish Internet Act, indicating that, with the exception of so-called exempt cookies, before any cookies are downloaded (i) users must be informed and (ii) their consent must be obtained.
The Guide lists the disclosures to users that are considered essential, clarifying that such disclosures must be communicated in a concise, transparent and intelligible manner, using clear and simple language.
The Guide also establishes that the information may be provided using a layered approach, where the essential information is provided on the first layer, upon visiting the website or application, and the other, more detailed and cookiespecific information is provided on a second-layer page.
The disclosures that must be included in the first layer are as follows:
- identity of the website's publisher;
- identification of the purposes for which the cookies will be used;
- whether the cookies are first or third party;
- general information on the type of data that will be collected and used if user profiles are created;
- a clearly visible link to a second layer including more detailed information.
The second requirement for the use of non-exempt cookies is to obtain user consent. Consent may be obtained (i) in an express manner, such as by clicking a box that reads "consent", "accept" or similar; or (ii) through an unequivocal action on the part of the user, provided that the user has been provided clear and accessible information as to the purposes for which the cookies will be used and whether they will be used by the publisher, by third parties or by both. Inactivity on the user's part cannot be considered a provision of consent by that user under any circumstances.