The Spanish Data Protection Authority has fined Vueling €30,000 for failing to provide a cookie banner that complies with the EU’s General Data Protection Regulation (GDPR).
The decision was based on the cookie banner being poorly constructed, displaying general information about what cookies are and which cookies are used, along with information that shows the user that Vueling can use the information by itself or through third parties.
However, with regards to the management of cookies, the banner merely states that “you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive.
Simply, the cookie banner gives the user a choice of either rejecting the cookies or to accept and acknowledge that they exist. It fails to provide a management system that allows the user to delete the cookies granularly.
Therefore, the Spanish Data Protection Authority (AEPD), considers the consent collected from this as not valid and subsequently, the airline has infringed Article 22(2) of the Spanish Law on Information Society Services Law and is being fined €30,000.
Vueling has acknowledged that it has infringed the law. As the company is willing to pay the fine promptly, the sanction has been reduced to €18,000.
This fine should come as a warning to other companies who have not implemented a tool or a system whereby users can decide which cookies he or she consents to.