AEPD (Spain) - PS-00480-2025

Summary

Spain's data protection authority (AEPD) fined Tiger Media Inc., an adult ad network operator, €72,000 for installing advertising cookies on users' devices without obtaining prior consent and unlawfully relying on legitimate interest as a legal basis. The DPA found that the controller, which was not properly represented in the EU, violated GDPR Articles 6 and 27, as well as the ePrivacy Directive, by processing personal data collected through non-consensual cookies for advertising, performance measurement, and fraud detection purposes.

Full text

Help AEPD (Spain) - PS-00480-2025: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 09:44, 21 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 09:44, 21 May 2026 AEPD - PS-00480-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1)(f) GDPR Article 27 GDPR Article 5(3) ePrivacy DirectiveArticle 22(2) LSSI Type: Investigation Outcome: Violation Found Started: 02.10.2025 Decided: 14.11.2025 Published: Fine: 72,000 Parties: Tiger Media Inc. National Case Number/Name: PS-00480-2025 European Case Law Identifier: n/a Appeal: Not appealed Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The AEPD fined an adult ad network for placing advertising cookies without consent, unlawfully relying on legitimate interest and lacking an EU representative. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Tiger Media Inc., the controller, operated an advertising platform for publishers and advertisers of adult products and services. The platform acted as an ad network, connecting publishers offering advertising space with advertisers seeking to display ads on those websites. Through this platform, the controller processed personal data of users visiting publishers’ websites where its ads were displayed. This included IP addresses, device and browser information, website URLs, referral URLs, clicks, impressions and cookie identifiers. According to the controller, the data were processed for ad delivery, fraud prevention, frequency capping, performance measurement and service improvement. The controller argued that it did not carry out behavioural advertising or profiling. It claimed that any targeting was limited to contextual factors, such as country and language. The controller relied mainly on legitimate interest as a legal basis and argued that publishers, as independent controllers of their own websites, were responsible for obtaining any consent required for cookies. The DPA investigated the controller’s platform and several Spanish websites using it. It found that cookies linked to the controller’s platform were installed on users’ devices without prior consent. These cookies were used for advertising-related purposes, including measuring ad performance, improving ad relevance, limiting frequency and detecting fraud. The AEPD also noted that the controller was not established in the EU. Although the controller stated that it had appointed a representative in Northern Ireland and was in the process of changing representative, the DPA considered that it did not have a valid representative established in the Union. Holding The AEPD held that the controller violated Article 6 GDPR by processing personal data without a valid legal basis. The DPA emphasised that the LSSI, the Spanish law implementing the ePrivacy Directive require prior consent for storing or accessing information on a user’s device through cookies, unless an exemption applies. The DPA distinguished between the placement or reading of cookies, which is governed by the cookie rules, and the subsequent processing of personal data obtained through those cookies, which must comply with the GDPR. Since the cookies were installed without consent, the subsequent processing of the data collected through them could not be considered lawful. The AEPD rejected the controller’s reliance on legitimate interest under Article 6(1)(f) GDPR. It found that users had not received clear information and had not consented to the use of cookies. Moreover, users of the affected websites did not have a reasonable expectation that their browsing-related data would be processed by a third-party advertising network for advertising purposes. Therefore, the processing did not pass the balancing test required under Article 6(1)(f) GDPR. The DPA also held that the controller violated Article 27 GDPR. Since the controller was not established in the EU but processed personal data of users in Spain in connection with its advertising services, it was required to appoint a representative established in an EU Member State. A representative in Northern Ireland did not meet this requirement. The AEPD fined the controller €120,000 in total: €70,000 for the violation of Article 6 GDPR and €50,000 for the violation of Article 27 GDPR. Pursuant to Article 85 of the Spanish administrative Law 39/2015, the notice of initiation informed the controller of the possibility of acknowledging liability and making a voluntary payment of the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the final penalty was set at €72,000, and its payment resulted in the termination of the proceedings. The AEPD also ordered the controller to adopt corrective measures within three months. In particular, the controller had to ensure compliance with Article 6 GDPR, ensure compliance with the Spanish cookie rules by the service providers using its cookies, appoint an EU representative and notify the AEPD of the measures adopted. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/24 • File No.: EXP202405210 RESOLUTION TERMINATING THE PROCEEDINGS BY ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT Regarding the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND: FIRST: On October 2, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against TIGER MEDIA INC. (hereinafter, T.M.I.), by means of the agreement transcribed below: << File No.: EXP202405210 AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS Based on the actions carried out by the Spanish Data Protection Agency and the following FACTS FIRST: The Spanish Data Protection Agency has become aware of certain facts that could constitute a possible infringement attributable to TIGER MEDIA INC. with Tax Identification Number 830104493 (hereinafter, T.M.I.). This Agency has become aware of the existence of a possible violation of the Data Protection Regulations, in relation to the processing of personal data derived from the activity of the platform ***PLATFORM.1 (owned by T.M.I.), as an advertising network (Ad Network) for publishers and advertisers of adult products and services, which, therefore, does not act as a generalist Ad Network. SECOND: As a consequence of the known facts, on April 8, 2024, the Presidency of the Spanish Data Protection Agency instructed the Sub-Directorate General for Data Inspection (SGID) to initiate the preliminary investigation proceedings referred to in Article 67 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD). THIRD: The Deputy Directorate General for Data Inspection carried out preliminary investigative actions to clarify the facts in question, by virtue of the functions assigned to the supervisory authorities in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/24 Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VIII of the LOPDGDD. As a result of the actions carried out, the following facts have been obtained:  On 28/11/2024, in response to the request for information from this Agency, T.M.I. submitted the following information and statements: 1. That T.M.I. is the owner and operator of the platform ***PLATFORM.1. 2. Provides a Record of Processing

Entities