AEPD penalizes a company that owns adult content websites for unlawful use of personal data

AEPD penalizes a company that owns adult content websites for unlawful use of personal data

The Spanish company Techpump Solutions, S.L., owner of five websites with adult content, has been sanctioned by the Spanish Data Protection Agency (“AEPD”), with Euro 525,000 for failing to comply with current regulations on privacy and data protection, by using personal data in an unlawful manner.

Specifically, the sanction is based on the fact that these websites do not have a mechanism that allows a correct and sufficient verification of the users who intend to register in it with regard to their status as adults or minors. That is to say, despite the fact that banners on these websites warn that they have content aimed at users over 18 years of age, access or registration to the same does not request consent for access from the holders of parental authority or guardianship in the case of children under 14 years of age, nor do they have implemented mechanisms to ensure that the user who registers is a child over 14 years of age and under 18 years of age.

In this sense, the AEPD, in its resolution argues,: “Not only the processing of personal data of a child as a vulnerable person is a risk, but in the case of children the risks that would affect any group are amplified by their situation of vulnerability, so that the dangers per se are greater than if they affect an adult. This implies that, from the risk approach, a fundamental pillar of the General Data Protection Regulation, the appropriate technical and organizational security measures must be implemented to avoid the materialization of a very high risk causing an injury to their rights and freedoms, taking into consideration as a starting point that we are dealing with the processing of personal data of children”.

In addition to the above, the AEPD, in a 122-page resolution, concludes that this company has violated up to seven articles of the General Data Protection Regulation (“GDPR“) classified in this regulation as very serious, serious and minor (although most of the infringements that have been committed have been considered as serious), and has also violated precepts contained in the Law on Information Society Services (“LSSI”) and the current regulations on cookies.

The AEPD blames this company for its lack of transparency and loyalty by providing users of these sites with information through its privacy policy that does not correspond to the processing that was actually being carried out, which causes users, apart from misinformation, clear and evident confusion.

Likewise, the AEPD has concluded that Techpump Solutions, S.L., has also violated the principle of purpose limitation insofar as it has been collecting the IP data of its users “not only for the management of user data for the delivery of digital advertising (own purpose)” but also with the intention of “supplying the IP to the State security forces and bodies (purpose of a third party)”, something that is not referred to either in the register of processing activities of this company or in its privacy policy.

On the other hand, another of the infringements highlighted by the AEPD in its resolution is that the websites were only available in English, a fact that leads to a lack of clarity and legibility when the contents and information is addressed to consumer users of other nationalities. Likewise, the AEPD stresses that these sites do not give users the possibility of revoking their consent at any time with respect to the forms they have filled in.

Finally, it should be noted that such a high fine has never been imposed on companies in the pornographic web sector before.

In view of the above, it is important that every company, regardless of its sector of activity (and especially if it processes personal data of groups that are subject to greater legal protection in terms of privacy – such as minors – whose processing may be likely to infringe their rights and freedoms), should have good advice on the adaptation to data protection regulations in order to adapt its internal processes and the websites it owns to the aforementioned regulations, in order to avoid potential sanctions of so high amount as the one that has been imposed to Techpump Solutions, S. L.