D.A.A.A – €18,000 Fine (Spain, 2019)

€18,000Agencia Española de Protección de Datos6 October 2019Spain
final
Fine

The Spanish data protection authority fined D.A.A.A EUR 18,000 for using pre-ticked boxes for cookie consent and placing cookies without proper user agreement. This case shows that businesses must ensure clear and active consent for cookies on their websites.

What happened

D.A.A.A used pre-ticked boxes for cookie consent and placed cookies without proper user agreement.

Who was affected

Website visitors who had cookies placed on their devices without clear consent.

What the authority found

The Spanish authority found that D.A.A.A violated cookie consent rules by using pre-ticked boxes and placing cookies without user consent.

Why this matters

This case serves as a reminder that businesses must obtain clear and active consent for cookies. Website operators should review their cookie consent practices to avoid similar fines.

National Law Articles

Article 22.2 Law 34/2002, of July 11 LSSI
Article 22.1 Law 34/2002, of July 11 LSSI

Entities Involved

D.A.A.A
Vueling Airlines S.A.
Spain enforcementAgencia Española de Protección de Datos actionsAll D.A.A.A actions
Full Legal Summary
Detailed

Vueling Airlines used pre-ticked boxes for cookie consent, continued placing non-essential cookies after rejection, and miscategorized third-party cookies as essential.

Violations (6)

No Reject Button
critical

Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.

Art. 7 GDPR

Pre-ticked Consent Boxes
high

Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.

Art. 4(11) GDPR

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Cookies Persist After Rejection
critical

Tracking cookies remain active or are re-placed even after the user explicitly rejects them.

Art. 6(1) GDPR

Third-Party Cookies Without Consent
critical

Third-party tracking cookies or scripts are loaded without obtaining prior user consent.

Art. 13, 14 GDPR

Cannot Withdraw Cookie Consent
critical

No accessible mechanism exists for users to withdraw previously given cookie consent.

Art. 7(3) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for D.A.A.A in ES

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

unknown (claimant)

2021 · DPA OLGWien

Azienda USL della Romagna

2021 · Garante per la protezione dei dati personali

€50K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

6 October 2019

Authority

Agencia Española de Protección de Datos

Fine Amount

€18,000

GDPRhub ID

gdprhub-5002

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 100%

Cite as: Cookie Fines. D.A.A.A - Spain (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: