Radio Popular S.A. – €1,200 Fine (Spain, 2021)

A data subject filed a complaint against a radio company stating that "when accessing their website (www.cope.es), it is impossible to reject cookies". When the website loaded, a banner informing users that cookies were being used on the site and containing a link to the configuration panel was displayed. However, no link to the actual cookie policy was provided, and the user could not access the cookie policy before accepting the cookies. Furthermore, non-strictly necessary cookies for the functioning of the website were installed on the user's device before consent was obtained, such as: * _cb: analytical cookie that stores the unique identifier for chartbeat tracking (tool for real-time website metrics analysis) (1 year active) * _chartbeat2: analytical cookie used to store statistics on the number of visits per year (30 days active) * _ga: analytical cookie used to distinguish between users of the website (2 years active) * _cb_svref: analytical cookies used to store the origin of the visitors (active during session) * _cb_ls: analytical cookie used for the analysis and control of active users' navigation (1 year active) * web_gid: analytical cookie used to distinguish users (active 24 hours) The Spanish DPA (AEPD) found that the controller was installing unnecessary cookies before asking for the consent of the user, what violated Article 22(2) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Act on Information Society Services and Electronic Commerce] (implementing the e-Privacy Directive). The controller should have sought the consent of the users before installing such cookies. Additionally, the controller also violated the same Article by not providing enough information about the processing of such cookies, as the users could not directly access the cookie policy. The cookie banner should have included a direct link to such policy, or it should have been available in the second layer. The user should have been able to access the information