In 2025, fines are still being issued for failing to comply with cookie policies and user privacy on websites. In this post, we take a look at one of these penalties.
In the summer of 2024, the Spanish Data Protection Agency (AEPD) imposed a €90,000 fine on the owner of three domains after identifying multiple breaches in cookie management across three websites. While this ruling was issued several months ago, it serves as an important precedent for understanding what is strictly prohibited regarding cookie implementation. This article provides an overview of the key technical considerations that must be observed when managing cookies on a website.
A complaint was filed against the entity for installing third-party cookies without user consent and for lacking transparency in its cookie policy, in violation of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI).
The AEPD’s investigation examined three websites operated by the same provider and identified compliance failures across all of them. These failures primarily related to the absence of proper consent mechanisms and the lack of clear and comprehensive information regarding the cookies being installed.
On one of the websites, the AEPD found that upon a user’s first visit—before providing any explicit consent—the site was already installing various first-party and third-party cookies. While some of these cookies were technical, others—whose purpose was not clearly stated in the company’s cookie policy—tracked users and collected personal data. This practice directly contravenes Article 22.2 of the LSSI, which requires prior and explicit user consent before deploying any cookies that are not strictly necessary for service provision.
For the second website, a more in-depth technical review revealed that even when users selected the "Reject All" option on the cookie banner, the site continued to install third-party cookies. These cookies originated from “magsrv.com”, a domain classified as an adware distributor, meaning they remained active and collected user data for advertising purposes despite the user’s explicit rejection.
On the third website, the cookie banner and policy failed to provide adequate disclosure of third-party cookies. As in the other cases, third-party tracking cookies were implemented without obtaining explicit user consent. Moreover, these cookies remained active on the user’s device even after consent was withdrawn, indicating that the mechanism for revoking consent was ineffective.
According to the LSSI, any form of data processing via cookies requires the explicit consent of the user. In this case, the website operator clearly infringed upon users’ rights to control their personal data. Consequently, the entity was charged with failing to uphold transparency obligations and neglecting proper consent management, with aggravating factors due to intentional misconduct and repeated non-compliance.
This case highlights several essential compliance lessons:When a user visits a website for the first time, non-essential cookies must not be installed on their device without prior consent. Websites can be checked for fraudulent cookie installation by right-clicking and inspecting the page elements.
For web developers and digital service providers, implementing an effective and compliant cookie management system is crucial. Websites must enable users to accept or reject cookies clearly and easily, and non-essential cookies must be immediately blocked when rejected.
Additionally, cookie policies must provide precise details on the type and purpose of each cookie, ensuring full transparency and respecting users’ digital rights.
By integrating Lawwwing, businesses can ensure that their clients’ websites are 100% compliant with both European privacy laws and consumer protection regulations in the digital environment. Non-compliance can have serious legal and financial consequences do not take unnecessary risks.
The full AEPD ruling, published in August, is available here.
By partnering with Lawwwing, businesses gain access to a highly competitive platform for cookie banners and privacy policies. As a Google-certified verified provider, Lawwwing guarantees that:
The cookie banner functions correctly and complies with regulations.
Cookies remain blocked until explicit user consent is provided.
Users can easily withdraw consent at any time through a visible and accessible mechanism.
Looking for a reliable and professional compliance solution? Lawwwing is the answer.
