D.A.A.A – €18,000 Fine (Spain, 2019)
Vueling Airlines faced a fine for using pre-ticked boxes to get cookie consent from users. This practice misled visitors about their choices and continued to track them even after they opted out. This case highlights the importance of clear consent mechanisms for online businesses.
What happened
Vueling Airlines used pre-ticked boxes for cookie consent and continued placing third-party cookies after users rejected them.
Who was affected
Website visitors who interacted with Vueling Airlines' site and had their cookie preferences mismanaged.
What the authority found
The Spanish data protection authority found that Vueling Airlines violated rules by not obtaining proper consent for cookies.
Why this matters
This ruling emphasizes that companies must clearly inform users about cookie usage and obtain valid consent. Online businesses should ensure their consent practices are transparent and compliant.
National Law Articles
Entities Involved
The data subject complained to the DPA that it was impossible to purchase an airline ticket from the controller's website without accepting cookies and consenting to receive advertisements. The controller, Vueling Airlines S.A., had a box in its checkout procedure indicating consent to receive ads, but, contrary to the data subject's complaint, it was possible to purchase a ticket without checking the box. The controller's cookie policy allowed users to revoke consent to non-essential cookies by unchecking two pre-ticked boxes, one for "performance cookies" and one for "targeted cookies." However, some third-party cookies were incorrectly categorized as essential, so even when users unchecked the relevant boxes or clicked "reject all," non-essential cookies remained. The DPA found that the controller's consent banner violated Article 22.2 of the Spanish Law on Services of the Information Society and Electronic Commerce (Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico - LSSI) which requires service providers to obtain consent before installing non-essential cookies. The use of pre-ticked boxes is not a valid basis for consent, and the impossibility to reject cookies miscategorized as essential is not legal either. For these violations, the DPA ultimately fined the controller €18,000; an inital €30,000 fine was reduced by 40% because the controller voluntarily acknowledged responsibility for the infractions and agreed to pay the fine before final resolution of the sanctioning procedure.
Violations (6)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Tracking cookies remain active or are re-placed even after the user explicitly rejects them.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for D.A.A.A in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
6 October 2019
Authority
Agencia Española de Protección de Datos
Fine Amount
€18,000
GDPRhub ID
gdprhub-5002About this data
Cite as: Cookie Fines. D.A.A.A - Spain (2019). Retrieved from cookiefines.eu
Last updated: