Spanish airline fined €30.000 for not allowing users to refuse cookies on their website

Spanish airline fined €30.000 for not allowing users to refuse cookies on their website

The Spanish Data Protection Authority hands Vueling Airlines large fine for using cookies on their website without their users accept. See how your website avoids the same fine.

The Spanish Data Protection Authority (AEPD) has fined Spanish Airline company Vueling €30.000 for unlawful use of cookies on their website.

The AEPD argues that Vueling has not provided their users the possibility to refuse cookies, thus forcing them to accept cookies to navigate the website.

This – according the Spanish Data Protection Authority – is a violation to Article 22.2 of the Law on Information Society Services and Electronic Commerce (LSSI). Consent to cookies is implicit in the Vueling cookie consent banner leaving users with no real choice on cookies and data privacy. Moreover, third-party cookies are collecting the user’s personal data even before the user accepts cookies.

Why did Vueling get fined for using cookies?

When entering the Vueling website, you first see is a classic cookie consent pop-up. It states that the website uses cookies to remember preferences; for statistics; and to show personalized ads. By continuing to browse, the user agrees (i.e. consents) to the use of cookies.

“At no time can the user
refuse cookies or other
tracking technologies”

At no time can the user refuse cookies or tracking technologies. Every single cookie on is already set in the user’s browser and has begun tracking before the user accepts cookies and/or continues browsing the site.  

In other words, the user is forced to give consent (to get rid of the banner) and does not have the possibility to decline tracking cookies.

AEPD specifies that Vueling does not provide users with any access to a Consent Management Platform or cookie configuration tool for refusing cookies, and thereby cannot claim to collect valid consent.  

Thereby, Vueling is in violation with article 22.2 of the LSSI.

Article 22.2 of the LSSI:

“Service providers may use data storage and retrieval devices on terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information about their use, in particular, about the purposes of data processing."

Link: LSSI (the Law on Information Society Services and Electronic Commerce)

Vueling is fined €30.000 which – if paid voluntarily - can be reduced by 20% (to €24.000), and if paid within a granted period would be reduced further to €18.000.

What can you do to avoid the same fine?

With the EU Court of Justice ruling last week against German lottery website Planet49, the grip has been tightened around the use of cookies.

Link: EU-Court of Justice rules against Planet49 – storing cookies require consent

EU and national Data Protection Authorities are on the move to secure EU citizens’ online privacy. For now, French, German and English cookie requirements have been updated to clarify the rules set forth in the ePrivacy (cookie law) and the General Data Protection Regulation (GDPR).

Link: Major European Data Protection Authorities revise cookie requirements

When operating a website (private or company), you are responsible for the collection of consents to cookies and other tracking technologies (also for third-party cookies like Google Analytics, Facebook Pixel, YouTube etc.).

"To avoid the same fine,
start by revising your
cookie consent solution"

To avoid the same fine as Vueling, start by revising your cookie consent solution.

  • Does your cookie pop-up collect – and store – your users’ consents?
  • Can your users refuse cookies and tracking technologies?
  • Are pre-ticked boxes un-checked for cookies (as required in the GDPR)?
  • Does your cookie pop-up block cookies before consent is obtained?
  • Are all cookies described in your cookie policy? Also expiration and lifespan?

Get A free assessment of your website's cookie compliance level

If you would like to test your website's cookie compliance, fill the form in the right sidebar. You can also use the link here:

Link: Test your website

Or you can book a meeting with our compliance experts: 

Link: Book a meeting

Cookie Information provides websites with a Consent Management Platform to secure that companies comply with current EU data protection regulations (ePrivacy and GDPR).

If you have any questions about our solution or how you can become GDPR compliant, do not hesitate to contact us.

Book a meeting with one of our compliance experts and we can discuss how your website can comply with ePrivacy and GDPR concerning cookies.