By Brett Allan
Feb. 12 --The Spanish Data Protection Agency (AEPD) has fined two companies for using cookies without obtaining
informed consumer consent, a move one lawyer said Feb. 12 is the AEPD's first
fine levied in the European Union (In re Navas Joyeros Importadores,
S.L., AEPD, No. PS/00321/2013 1/14/14).
In a resolution, the AEPD in
January ordered two Spanish companies to pay small fines for “minor” violations
of Spain's data protection and information society services laws, due to their
failure to obtain informed consumer consent and to clearly communicate the
purpose and usage of cookies.
The AEPD fined jeweler Navas Joyeros
Importadores S.L. 1,500 euros ($2,045) for violating Articles 5.1 and 5.2 of
the Spanish Data Protection Act (LOPD, Organic Law 15/1999) and 3,000 euros
($4,103) for violating Article 22.2 of the Information Society and Electronic
Commerce Services Act (LSSI, Law 34/2002). The AEPD also fined jeweler
Privilegia Luxury Experience S.L. 500 euros ($687) for violating Article 22.2
of the LSSI.
It concluded that information regarding the companies'
cookies wasn't “complete and clear, particularly with regard to the types of
cookies used, their objective, and the identities of those who install and use
the cookies, which would invalidate any consent given by users that 'Accept’
the 'Cookies Policy’ or continue to surf the websites.”
fines were small even for minor infractions of these laws, this is the first
an enforcement precedent in the aftermath of the AEPD's recent guidance on how
companies should apply recent cookie regulations, Elisa Lorenzo, an associate
at DLA Piper in Madrid, told Bloomberg BNA.
Royal Decree-Law 13/2012, which took effect in April 2012,
altered the LSSI to put Spain in compliance with the European Union's e-Privacy
Directive (2009/136/EC) . The e-Privacy Directive requires websites to obtain
user consent before placing cookies on their computers.
and generalized language on cookies in recent modifications to the LOPD and
LSSI aimed at putting Spain in compliance with the directive, the AEPD did not
previously enforce the new regulations in the absence of guidance to clarify
its own interpretation of how companies should proceed, Lorenzo said.
Created with the help of industry representatives, the AEPD in 2013 issued
guidance to aid company compliance with the new
According to Lorenzo, the
AEPD's ruling follows past patterns for the enforcement of newly established
rules in which the agency issues “very moderate” fines to send companies an
initial message “that this is not a warning, but something more serious” that
will lead to more vigorous enforcement over the coming months.
AEPD's next steps will likely track the steps it took with new anti-spam
legislation, “meaning that the Agency will be vigilant, and as the complaints
come in it will react with larger fines in order to get people to comply
strictly with its guidance notes,” Lorenzo said.
The AEPD's enforcement
of new legislation tends to bring fines small enough to avert company appeals
of the ruling, while at the same time setting a precedent for more vigorous
enforcement later on, she said.
By not appealing these sentences,
companies are essentially helping to create jurisprudence upholding the AEPD's
interpretation of the law, she said.
To contact the reporter on
this story: Brett Allan King in Madrid at email@example.com
To contact the editor
responsible for this story: Katie W. Johnson at firstname.lastname@example.org
Resolution R/02990/2013 is available, in Spanish, at http://www.agpd.es/portalwebAGPD/resoluciones/procedimientos_sancionadores/ps_2014/common/pdfs/PS-00321-2013_Resolucion-de-fecha-14-01-2014_Art-ii-culo-5.1-LOPD-22.2-LSSI.pdf.
To view additional stories from Privacy & Security Law
Report® register for a free trial now