Adevinta Spain, S.L. – Dismissed (Spain, 2024)
The Spanish data protection authority dismissed a complaint against Adevinta Spain, S.L. regarding its cookie banner. This matters because it shows that companies can design cookie banners that comply with regulations, as long as they provide options to reject cookies. Website operators should stay informed about cookie consent guidelines to avoid issues.
What happened
Adevinta Spain, S.L. faced a complaint about its cookie banner but was found not to have violated any regulations.
Who was affected
Users who interacted with the cookie banner on Adevinta Spain's website.
What the authority found
The authority concluded that Adevinta's cookie banner complied with existing guidelines and did not find any violations.
Why this matters
This ruling indicates that companies can create effective cookie consent mechanisms. It encourages businesses to stay updated on regulations to ensure compliance.
National Law Articles
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user to consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent. The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023. The AEPD found no violations and issued a decision archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020/2022 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn. On 11 December 2023, the data subject filed an internal appeal (recurso de reposición) making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to Article 60(8) GDPR, th
Outcome
Dismissed
The complaint or investigation was dismissed.
Violations (4)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Adevinta Spain, S.L. in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Adevinta Spain, S.L. - Spain (2024). Retrieved from cookiefines.eu
Last updated: