IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL – €30,000 Fine (Spain, 2020)
Iberia's website was fined for not allowing users to reject cookies and for placing them before getting consent. This matters because it shows that companies must clearly inform visitors about cookie usage and give them real choices. Failing to do so can lead to penalties.
What happened
Iberia's website lacked a reject button and placed cookies before obtaining user consent.
Who was affected
Website visitors who interacted with Iberia's site and had cookies placed on their devices without proper consent.
What the authority found
The Spanish data protection authority found that Iberia violated ePrivacy rules by not providing clear cookie information and consent options.
Why this matters
This case highlights the importance of transparent cookie practices. Companies should ensure they have clear consent mechanisms to avoid fines.
National Law Articles
A user of the website of Iberia, an airline, lodged a complaint before the Spanish DPA (AEPD) saying that they had not been given an option to reject the cookies when using the website, and that they had been obliged to accept them to keep browsing. During the investigation, the AEPD also found that cookies were placed before obtaining consent. Additionally, they found that the information about cookies was incomplete and misleading. The AEPD concluded that Iberia had infringed Article 22(2) of the Spanish law on cookies (LSSI), as transposed from the e-Privacy Directive. The DPA considered that the airline should have allowed users to reject cookies in the second layer at once, instead of granularly, and that it should not had installed cookies without allowing users to exercise their choice. The airline should have also informed users about third party cookies and the storage period, as well as more clear information about the purpose of cookies. For this, the Spanish DPA fined Iberia €30,000.
Violations (6)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
16 October 2020
Authority
Agencia Española de Protección de Datos
Fine Amount
€30,000
GDPRhub ID
gdprhub-3698About this data
Cite as: Cookie Fines. IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL - Spain (2020). Retrieved from cookiefines.eu
Last updated: