First "Cookie Fines" in Europe

Earlier this year, the Spanish Data Protection Regulator (AEPD) issued fines to two jewelry companies (one an online jewelry store) for infringement of Spain’s cookie law (the Spanish Law of Information Society Services and Electronic Communications (LSSI-CE)). The Spanish law is the implementation of the EU’s “Cookie Directive” amendments to the e-Privacy Directive (Directive 2002/58). The Directive requires obtaining consent before using non-necessary cookies on websites. In Spain, this means that users’ consent has to be either (i) express or (ii) clearly inferred from the user actions (ie., going through a site where clear information about cookie usage is set out). As part of consent, information about the use of cookies on the websites needs to be given. However, in this case, Navas Joyeros S.L. and Luxury Experience S.L. were fined a total of €5,000 for failing to provide clear and complete information on their promotional websites about the tracking programs that they used. The case arose after users complained in 2012 that the companies did not provide any cookie usage policies. The AEPD concluded that the absence of policies meant that the consent for using the cookies was not validly obtained because the information provided was not sufficiently detailed. Moreover, the companies did not provide a method for users to opt-out of cookie usage. This is the first time that companies were fined on the basis of “cookie consent” in the EU.

Tip: This case is a reminder that appropriate consent – with notice and the ability to opt-out – needs to be provided for cookie usage to address the EU Cookie Directive.