FACUA - Asociación de Consumidores y Usuarios en Acción – Complaint Upheld (Spain, 2021)

FACUA - Asociación de Consumidores y Usuarios en Acción (FACUA) filed a complaint against Asociación de Afectados por las Asociaciones de Consumidores (ASOCAPAC). The complaint concerned ASOCAPAC's cookie banner. The Spanish DPA (AEPD) identified the following proven facts. Firstly, the cookie banner on ASOCAPAC's website did not provide concise and intelligible information as it only mentions: "This website uses its own and third party cookies to offer you a better experience and service (...)". This undermines the clarity of the message. The Spanish DPA also established that the cookie policy (in the second layer of the banner or on the Privacy Policy page) provided additional information on what cookies are and first and third party cookies are used for. However, there was no information on the identification and the time that they were active. Additionally, the DPA found that there was no mechanism to reject all cookies. Is the lack of information and the lack of a possibility to "refuse all cookies" on a cookie banner a breach of Article 22(2) LSSI? The Spanish DPA (AEPD) held that: *i) the lack of sufficient information on the first layer of the cookie banner, *ii) the lack of information as to the type of cookie and the time it remained active, *iii) as well as the absence of a "refuse all cookie" option constituted a breach of Article 22(2) of the Spanish Law on Services of the Information Society and Electronic Commerce (LSSI). The Spanish DPA therefore imposed a warning sanction on the defendant, ASOCAPAC. The DPA also outlined that the defendant had a month to modify the cookie banner and introduce a new cookie policy.