On 14 January, the Spanish Data Protection Regulator (the "Spanish DPA") issued its first fines for infringement of Spain's implementation of the EU's "cookie consent" requirement. The decision (in Spanish) may be found here.
Two companies were investigated and fined. The decision concludes that the two companies had failed to comply with the obligation to provide clear and comprehensive information about the cookies they used.
The total amount of the fines, 3,500 EUR, is very modest, especially if one considers the great enforcement powers of the Spanish DPA who could have potentially issued a fine up to 30,000 EUR per infringement in this case.
Does this mean that European regulators are going to be 'soft-touch' when it comes to the cookie rule enforcement? Let's not rush into conclusions and consider some key facts and take-away points from this case.
Why were these companies targeted?
Like most privacy enforcement actions, the investigation in this case was triggered by the complaint of an individual to the Spanish DPA in September 2012. The services provided by the websites investigated and the cookies used are not uncommon or particularly intrusive to individuals' privacy. The companies belong to the jewellery sector and most of the websites were purely promotional, with only one of them (out of 8) selling products on-line.
The actual enforcement procedure did not start until 15 July 2013 (nine months after the complaint) and it took another six months to issue the fines. In my view, the timings of this case tell us two things.
Secondly, the Spanish DPA took its time to thoroughly investigate the websites and cookies used and to review the documents provided by the companies. This is as you would expect, given that it was the first time it carried out a formal investigation in this respect.
Setting the bar high
Importantly, the decision confirms what was said in the guidance document, namely that information may be provided by implementing a layered approach and that an action-based consent mechanism would work in Spain. The decision also lays out the minimum information that the first and second layer must include and, in doing so, it provides useful insight to what exactly in practice will be compliant or not. The main point to take away is that the level of detail required in cookie notices is high.
What about consent?
The Spanish DPA briefly examined whether consent was lawfully obtained or not. The conclusion it reached was that consent was not validly obtained because the information provided was not sufficient.
However, the actual consent mechanisms used were not analysed in detail, and so the Spanish DPA did not discuss the legitimacy of implied versus express consent mechanisms. This is because, for technical legal reasons specific to Spain (but not other EU Member States), the Spanish DPA cannot currently impose fines for failing to comply with the consent requirement – only the information provision requirement.
This issue is expected to be addressed by a draft law that is on its way. The new law will introduce a two tier approach that allows the Spanish DPA to fine for failure to implement a valid consent mechanism. Minor infringements (up to 30,000 EUR) and serious infringements (max 150,000 EUR) will apply depending on the facts of each case.
Messages to take away
- Unconfirmed reports state that another 19 cases are under investigation in Spain. Having taken the lead, it is entirely possible that other European regulators will now follow suit. Their enforcement actions will be determined by their local enforcement strategy and the powers they are granted under local laws.
- The low level of this fine should not be interpreted as necessarily meaning that regulators will take a soft approach to cookie enforcement. In this particular case, attenuating circumstances and the technical legal issues impacted the calculation of the fine.
- Final and most important point is that the grace period has long been over. If you have not already done so, it is important to get your house in order now.