Airline fined over cookie consent mechanism

Out-Law News | 31 Oct 2019 | 9:50 am | 1 min. read

A budget airline has been fined €30,000 after a regulator found fault with its 'cookie' consent mechanism.

The fine was imposed on Vueling by Spain's data protection authority after it determined that internet users were unable to exercise sufficient control over the cookies they were served when accessing Vueling's website.

The Agencia española de protección de datos (AEPD) said this failing on granularity of control represented a breach of cookie consent rules set out in Spain's law on information society services and e-commerce by Vueling.

"This fine was imposed as a consequence of a claim raised by an individual," said Madrid-based data protection law expert Paula Fernández-Longoria of Pinsent Masons, the law firm behind Out-Law. "It shows how data subjects are increasingly aware of their rights and the rules regulating privacy."

Cookies are small text files placed on an internet user's device. They are generated whenever the user's device interacts with websites. Websites use cookies mainly because they save time and make the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users' web surfing habits and profile them for marketing purposes.

Spain's law on information society services and e-commerce implements the EU's e-Privacy law which requires website operators and other information society service providers to obtain internet users' consent to the use of cookies, other than those that are strictly necessary cookies, and to provide users with information about how to manage and delete cookies.

The Spanish regulator's decision was summarised by the European Data Protection Board (EDPB), the body that brings together national data protection authorities from across the EU.

The EDPB highlighted the contents of Vueling's cookie policy. The policy, among other things, explained how visitors to Vueling's website could "configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive", or alternatively use the 'do not track' cookie blocking tool and further set their browsers to revoke their consent to cookies served by third parties.

However, in practice Vueling failed to provide users with a cookie consent mechanism they could use that would enable them to delete cookies in "a granular way", the EDPB said.

"To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user," it said. "On this subject, it is considered that the information offered on the tools provided in the browsers of the computers to configure cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing you to configure preferences in granular or selective form."