The Spanish Data Protection Authority fines Vueling with 30,000 euros for failing to comply with cookie rules

By Lupe Sampedro, Ester Vidal, Natalia Gonzalez

10-2019

In its decision, the Spanish Data Protection Authority ("AEPD") states that when accessing the airline's website, a banner with information on the use of cookies is shown to the user. However, the user is not offered a tool aimed at managing cookies. Instead, the user is informed that cookies have to be managed by means of the web browser settings.

As anticipated by the AEPD in its 10th annual session (here we published the main highlights of the session), in order to gather user's consent for the use of cookies, the "continue browsing" option would still valid if, simultaneously, the user is offered a tool aimed at objecting to the use of cookies that enables him/her to decide which cookies he/she allows.

The AEPD has considered that the consent collected by Vueling by means of the "continue browsing" solution is not valid because the company does not offer users with a tool as the one described above. Therefore, the AEPD considers that the airline has infringed Article 22(2) of the Information Society Services Law ("LSSI").
The AEPD has classified the infringement as minor and has fined the company with 30,000 euros. However, since Vueling recognised having infringed the law and since the company was willing to pay promptly, the sanction has lowered to 18,000 euros.
With it’s the decision, the AEPD has confirmed that collecting consent by means of a "continue browsing" solution is still valid in compliance with certain requirements. This, despite the recent judgement of the European Union Court of Justice on cookie consent (case C-673/17 – Planet 49).

This fine should serve as an alert to all those companies that still do not have implemented a tool aimed at offering the user the possibility to object to the use of cookies or a system that allows the user to decide which cookies he/she consents (granularly).