The fine was imposed on Vueling by Spain's data protection authority after it determined that internet users were unable to exercise sufficient control over the cookies they were served when accessing Vueling's website.
The Agencia española de protección de datos (AEPD) said this failing on granularity of control represented a breach of cookie consent rules set out in Spain's law on information society services and e-commerce by Vueling.
"This fine was imposed as a consequence of a claim raised by an individual," said Madrid-based data protection law expert Paula Fernández-Longoria of Pinsent Masons, the law firm behind Out-Law. "It shows how data subjects are increasingly aware of their rights and the rules regulating privacy."
The Spanish regulator's decision was summarised by the European Data Protection Board (EDPB), the body that brings together national data protection authorities from across the EU.
However, in practice Vueling failed to provide users with a cookie consent mechanism they could use that would enable them to delete cookies in "a granular way", the EDPB said.
"To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user," it said. "On this subject, it is considered that the information offered on the tools provided in the browsers of the computers to configure cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing you to configure preferences in granular or selective form."