Wallapop S.L. – €3,000 Fine (Spain, 2025)
Wallapop S.L. was fined for using cookies on its website without getting users' permission first. This matters because it shows that companies must respect users' choices about privacy. Website operators should ensure they have clear consent mechanisms for cookies.
What happened
Wallapop S.L. used non-essential cookies on its website without obtaining user consent.
Who was affected
Website visitors who tried to access Wallapop's site but were forced to accept third-party cookies.
What the authority found
The Spanish data protection authority found that Wallapop violated e-Privacy rules by not allowing users to reject cookies effectively.
Why this matters
This case highlights the importance of obtaining proper consent for cookies. Other companies should review their cookie practices to avoid similar penalties.
National Law Articles
Wallapop S.L. (the controller) is a company that operates a website to exchange goods. A data subject filed a complaint with the DPA on the grounds that browsing the controller's website was impossible without downloading third-party cookies, even if cookies were rejected. The data subject brought this issue to the attention of the controller, who responded that it could not assist as the cookie settings were specific to each mobile phone. Upon investigation, the DPA found that non-essential cookies were installed when accessing the website. The use the "reject all" option had no effect, as the website continued to use the non-essential cookies detected at the beginning of the session. Finally, it was not possible to uninstall the cookies detected at the beginning of the session, or the cookies installed afterward. The DPA considered that the controller had committed a minor infraction of Spain's law transposing the e-Privacy Directive (LSSI).Minor infractions are regulated in Article 38(4)(g) LSSI. This is because the controller used non-essential cookies without the user's prior consent, the data subject was unable to reject them in the first layer or in the control panel, and the data subject was unable to modify the consent given for the use of cookies at any time while browsing the website. These were all actions violating [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758#a22 Article 22(2) LSSI]. The fine was initially set at €5,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine. This action reduces the imposed fine by 20%. The fine can be reduced by a further 20% if the controller acknowledges its liability under the same law. These reductions are further conditional on the withdrawal or waiver of any administrative action or appeal against the penalty. The controller agreed to these conditions and reduced the fine by 40%, payin
Violations (4)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Tracking cookies remain active or are re-placed even after the user explicitly rejects them.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Wallapop S.L. in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
31 May 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€3,000
GDPRhub ID
gdprhub-9457About this data
Cite as: Cookie Fines. Wallapop S.L. - Spain (2025). Retrieved from cookiefines.eu
Last updated: