The AEPD sanctions Twitter for the information given through its Cookie Policy

30 June 2020

The world-famous social network Twitter, sanctioned in Spain by the AEPD with a 30,000 euros fine for violating the LSSI.

30 June 2020

The Spanish Data Protection Agency (hereinafter, APED) has ended the Sanctioning Procedure PS/00299/2019, with a fine of 30,000 euros to the well-known company Twitter International Company (better known as the social network Twitter), for an infringement that has been considered as “minor” of the article 22.2 of the Law 34/2002, of July 11, of the Information Society Services and Electronic Commerce (hereinafter, LSSI).

The aforementioned article establishes the following:

• “Service providers may use data storage and retrieval devices on terminal equipment of the recipients, if that recipients have previously given their consent, after having been correctly and clearly informed about the use that the controller is going to do with such devices, and in particular about the purposes of data processing, in accordance with the provisions of the Organic Law 15/1999 of 13 December 1999, on Personal Data Protection.

• When it is technically possible and effective, the recipient’s consent to accept the processing of the data may be provided through the use of the appropriate parameters from the browser or other applications.

• What we just have said in the previous paragraph, shall not avoid any technical storage or access for the only purpose of carrying out the transmission of a communication through an electronic communications network or, if absolutely necessary, for the provision of an information society service explicitly requested by the recipient.

The procedure began with a letter addressed to the AEPD in which an individual alleged that the social network Twitter provided inadequate and insufficient information about the cookies it uses and sets on users’ browsers.

The AEPD, for its part, was able to verify the following circumstances through its investigative diligences:

  1. By the simple fact of accessing the main Twitter website, several cookies were automatically installed in the browser which were not necessary for the provision of the service offered.
  2. On the first layer or “banner” on cookies, the consent was tacit, and there was no link that provided the possibility to accept or reject the cookies in granular form, or to access the second layer.
  3. The second layer, where the Twitter’s cookie policy was hosted, indicated how to manage cookies through the settings of the different browsers, but also did not offer users the possibility to accept or reject cookies in granular form.

By virtue of these three facts, the AEPD considered that Twitter had infringed the Article 22.2 of the LSSI, by installing cookies in users’ browsers automatically without their previous consent, and by giving inadequate and insufficient information about the cookies it uses, both in the first and second layers, not allowing the users that visit the website to configure their preferences in a granular way.

The infringement was classified as “minor”, as established in Article 38.4 g) of the LSSI, and was sanctioned with a fine of 30,000 euros, the maximum permitted for this type of infringement, and which was set in accordance with the parameters of Article 40 of the same Law, which are the following:

  1. Intentionality, in the sense that it was up to Twitter to determine how to obtain the informed consent.
  2. The period of time that the infringement lasts, being the claim from May 2018.
  3. Nature and quantity of the damages produced, bearing in mind that Twitter had at that moment more than 4 million registered users in Spain.
  4. Benefits obtained by the infringement.
  5. Turnover affected by the infringement committed.

With this resolution, the Spanish Data Protection Agency has once again highlighted the importance of keeping the cookie policies on websites up to date, following the recommendations published on its “Guide to the use of cookies” of November 2019.

If you consider that your website does not comply with the current regulations or with these recommendations, or you have doubts about this fact, consult an expert in the subject, in order to receive the best advice and to avoid this type of situations.

5/5 - (3 votes)

Joaquín Abajo

Abogado.

Comentarios

Leave a Reply

Your email address will not be published. Required fields are marked *

Responsable del tratamiento: HERRERO & ASOCIADOS, S.L.

Finalidad del tratamiento: Publicar su comentario sobre la noticia indicada.

Derechos de los interesados: Puede ejercer los derechos de acceso, rectificación, supresión, oposición, portabilidad y limitación del tratamiento, mediante un escrito, acompañado de copia de documento que le identifique dirigiéndose al correo dpo@herrero.es.

Para más información visita nuestra Política de Privacidad.

*Los campos marcados con el asterisco son obligatorios. En caso de no cumplimentarlos no podremos contestar tu consulta.

No Comments