The Spanish Data Protection Authority (AEPD) has fined Spanish Airline company Vueling €30.000 for unlawful use of cookies on their website.
The AEPD argues that Vueling has not provided their users the possibility to refuse cookies, thereby forcing them to accept cookies to navigate the website.
This – according the Spanish Data Protection Authority – is a violation to Article 22.2 of the Law on Information Society Services and Electronic Commerce (LSSI).
Spanish Airline Cookie Fine – AEPD’s press release
Consent to cookies is implicit in the Vueling cookie consent banner leaving users with no real choice on cookies and data privacy.
Moreover, third-party cookies are collecting the user’s personal data even before the user accepts cookies.
Major European Data Protection Authorities update cookie guidelines
Why did Vueling get fined for using cookies?
When entering the Vueling website, you first see is a classic cookie consent pop-up.
It states that the website uses cookies to remember preferences; for statistics; and to show personalized ads.
By continuing to browse, the user agrees (i.e. consents) to the use of cookies.
At no time can the user
refuse cookies or other tracking technologies
Every single cookie on Vueling.com is already set in the user’s browser and has begun tracking before the user accepts cookies and/or continues browsing the site.
In other words, the user is forced to give consent (to get rid of the banner) and does not have the possibility to decline tracking cookies.
AEPD specifies that Vueling does not provide users with any access to a Consent Management Platform or cookie configuration tool for refusing cookies, and thereby cannot claim to collect valid consent.
Thereby, Vueling is in violation with article 22.2 of the LSSI.
“Service providers may use data storage and retrieval devices on terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information about their use, in particular, about the purposes of data processing.”
LSSI (the Law on Information Society Services and Electronic Commerce)
Spanish Airline Vueling receives a €30.000 cookie fine which – if paid voluntarily – can be reduced by 20% (to €24.000), and if paid within a granted period would be reduced further to €18.000.
How can your website avoid same fine?
With the EU Court of Justice ruling last week against German lottery website Planet49, the grip has been tightened around the use of cookies.
EU Court of Justice’s verdict on cookies
EU and national Data Protection Authorities are on the move to secure EU citizens’ online privacy.
For now, French, German and English cookie requirements have been updated to clarify the rules set forth in the ePrivacy (cookie law) and the General Data Protection Regulation (GDPR).
Major European DPA’s revise cookie requirements
When operating a website (private or company), you are responsible for the collection of consents to cookies and other tracking technologies.
This also applies for third-party cookies like Google Analytics, Facebook Pixel, YouTube etc.).
Here’s a short checklist to check if your website is compliant.
Checklist for collecting
valid consent to cookies
- Block cookies before you get consent
- Offer an easy way for your user to decline cookies
- Inform your users of cookies
- Respect their privacy choices
- Provide an easy way for change or withdraw consent
- Store their consents for 5 years
Get free compliance check
Unsure whether your website is compliant?
Get a free compliance check here. No strings attached.