Spanish Data Authority (AEPD) fines e-commerce website €3,000 for unlawful cookie practices

On 6 August 2020, the AEPD (Spain’s data authority) decided to fine Grow Beats SL, an e-commerce company that targets a young audience to sell audio equipment like earphones and speakers, €3,000 for unlawful cookie practices.

The fine relates to their unlawful use of cookies on the website. Specifically, that there mechanism was established to allow users to opt out of all 3rd party cookies. It also found that the cookie policy in place did not provide enough information about the third party cookies used on the website and how users could manage them.

The full decision is available to read here (ES).

Recently, the Spanish data authority has issued many fines over non-compliant cookie practices.

The most high profile case was Vueling Airlines. In November they were fined €30,000 for using cookies on their website without users’ acceptance. They AEPD reported that Vueling Airline’s cookie banner gave users no real option to continue using the website without loading cookies.

This recent rise in cookie cases could be attributed to the EU Court of Justice ruling on October 1st 2019, that upheld that users must actively consent to using cookies.

This may have given some regulators the go ahead to change , but it appears like much of the internet is still catching up. 

The team at Measured Collective come across unlawful cookie policies and consent mechanisms almost every day. Most frequently we discover outdated cookie banners, that state that continuing to browse/use the site indicates acceptance of cookies. Or we find opt-out mechanisms that load cookies before the user has been given a choice to consent. Thereby removing real choice over the use of third party cookies for users.

While the fine in the recent case between the AEPD and Grow Beats SL is small, the repercussions can be much more significant. It looks as if data authorities across Europe are increasing their enforcement action. Many, like Spain’s AEPD and Ireland’s Data Protection Commission have since issued new cookie guidance with grace periods for website owners to implement the changes.

For now if you manage a website which does any of the following:

  • Loads cookies, such as Google Analytics before the user has consented; 
  • Fails to make information about what cookies are used, their purposes and how users can opt out of their use clear in the cookie policy. 
  • Bundles consent for cookies with different purposes, such as advertising tracking or analytics cookies together.
  • Assumes consent, or uses a non-active form of consent, such as continuing to browse the website to set cookies.

Then you should review your cookie consent mechanism, and take steps to update it. Get in touch with us if you would like us to review your website for free, we can provide a proposal for how to fix your problems, or simply point you in the direction of some of our favourite DIY tools. 


⚠️ Try our free GDPR course. Section 1 and Section 2 available now, sign up and start learning immediately.