GDPR Fine for Cookies Installed Without Consent

A cookie is a small text file stored on a user’s device when visiting a website. These modules aim to retain information about user preferences and activity, thereby facilitating a personalized browsing experience. According to the General Data Protection Regulation (GDPR), cookies are considered personal data as they can indirectly identify an individual through unique identifiers associated with their device.

For instance, if a cookie collects information about a person’s online behavior (pages visited, products searched), this data can be combined with other existing information to create a detailed user profile, allowing for indirect identification of the individual.

Recently, the National Authority for Supervision of Personal Data Processing (ANSPDCP) sanctioned a company with a fine of 20,000 lei for violating the provisions regarding personal data processing and privacy protection in the electronic communications sector (Law no. 506/2004).

The investigation was initiated following a complaint from an individual who claimed that an online store had breached GDPR provisions.

During the investigation, ANSPDCP found that the company’s website installed cookie modules (such as those used for marketing and statistical purposes), which were not technically necessary, without previously obtaining user consent.

In addition to the imposed fine, the authority mandated a corrective measure, requiring the website to reconfigure cookie settings so that these modules are activated exclusively after explicit user consent is given.

This case underscores the importance of adhering to legal requirements regarding clear and explicit user consent, especially when processing personal data via cookies.

Companies managing websites are thus encouraged to review and update their consent mechanisms to avoid sanctions and ensure complete transparency toward users.

For additional details and specific recommendations on GDPR compliance, please contact us.