SEAT fined for improper cookie management

SEAT fined for improper cookie management

In today’s digital environment, compliance with data protection regulations has become an unavoidable requirement for any company operating through online channels. The recent case of SEAT, which was sanctioned by the Spanish Data Protection Agency (AEPD) for the improper management of cookies on its website, clearly illustrates the risks organizations face when they fail to properly implement the legal requirements in this area.

The sanction imposed on SEAT highlights the increasing scrutiny by regulators regarding how companies obtain and manage user consent for the use of tracking technologies. This situation serves as a warning not only to large corporations but also to small and medium-sized enterprises that have yet to fully adapt their websites to the General Data Protection Regulation (GDPR) and the Law on Information Society Services (LSSI).

What did SEAT do wrong?

The AEPD identified several deficiencies in SEAT’s cookie management system. Specifically, it was found that:

• Non-essential cookies were being installed without the user’s prior consent, in clear violation of Article 22.2 of the LSSI.
• The initial cookie banner did not provide clear, accessible, and balanced information regarding the purposes of data processing, especially concerning personalization and behavioral advertising cookies.
• There was no real and easy option to reject all cookies with the same ease as accepting them, which contravenes the principles of transparency and user freedom of choice.
• Additionally, some links to the cookie policy or configuration center were not functioning correctly, hindering the effective exercise of the user’s right to manage their browsing preferences.

These practices were deemed by the AEPD to constitute a breach of the principle of lawful processing of personal data.

What should be changed to comply with the regulations?

To correct these deficiencies and avoid further sanctions, SEAT, and any company in a similar situation, should implement a series of technical and organizational measures aligned with current regulations:

• Explicit and prior consent: cookies that are not technical or strictly necessary may not be installed unless the user has provided free, informed, and specific consent.
• Equal ease of acceptance and rejection: the cookie banner must include clearly visible buttons or links that allow users to either accept or reject all cookies simply and symmetrically.
• Complete and accessible information: the cookie policy must detail the types of cookies used, their duration, purpose, and any third parties with access to the data.
• Functional preference manager: a cookie settings center should be enabled, allowing users to modify or withdraw their consent at any time.
• Consent records: it is advisable to implement mechanisms to reliably document when and how consent was granted.

How to avoid sanctions?

The best way to avoid sanctions like the one imposed on SEAT is to adopt a proactive compliance strategy regarding cookies and data protection. The following recommendations are suggested:

1. Conduct regular audits of all cookies used on the website.
2. Update cookie notices and policies in accordance with technological or legislative changes.
3. Train the technical team on the GDPR and LSSI requirements concerning the processing of personal data via cookies.
4. Use certified Consent Management Platforms (CMPs) that ensure legal compliance.
5. Consult with legal data protection experts, such as LETSLAW, especially during website development or redesign processes.

In short, the sanction imposed on SEAT demonstrates that cookie management is not a minor detail in regulatory compliance, but a fundamental part of the digital responsibility of any company that interacts with users online.