The Spanish data protection authority fined VUELING AIRLINES S.L. with 30.000 Euro[1] for failing to collect appropriate consent for the use of cookies on their website.

In order to provide data subjects with the required information for transparency purposes under article 13 GDPR, the company implemented a 2-layer approach:

In the first layer, the wording mentioned that VUELING uses cookies for analytical purposes involving the use of their website, and in order to provide targeted advertising to the website users. However, the wording included also an implied consent, according to which, if the website user would continue to navigate their website, VUELING would assume that he/she (the website user) accepts the use of their cookies.

In the second layer,  VUELING provided more information to their website users mentioning the following:

  1. A description of what cookies are;
  2. Information on which cookies are used on the website;
  3. Information to the website users according to which VUELING could use beacons, Pixel tags, and local storage for the purposes of statistical evaluations over anonymous data, and to guarantee the continuity of the services offered through their website for their own purposes or through third party websites;
  4. The option for website users to configure the cookies according to their preferences within their browser settings; and,
  5. The option for website users to withdraw their consent for the use of cookies by adjusting their browser settings.

Legal Reasoning

The Spanish DPA considered that when the website users reached the second layer of information, they were no longer able to oppose to the use of these cookies as the policy redirects this option to the settings of the website browser. Hence, the option provided to data subjects, would not allow for them to manage the use of cookies appropriately. Although, the information regarding the browser configuration for cookies is a complementary measure, this information alone does not allow for the user to manage their preferences individually.  Website users should have the option to either accept all cookies, deny all cookies, or offer an individual panel for the management of cookies.

According to the Spanish DPA, by using this approach, VUELING violated article 22.2 of Law 34/2002 of 11 of July on Information Society Services and Electronic Commerce[2]. This provision requires for the consent of the data subjects to be provided for the storage and recovery of data in terminal equipment, in line with the requirements of European data protection law. Furthermore, this same article (22.2) classifies the infraction as a minor infraction under article 38.4 lit. g) of the same law. Such minor sanction according to the respective article may be estimated in up to 30.000€.

Therefore, when establishing the sanction, the Spanish DPA considered the following -in line with article 40 of Law 34/2002-:

  • The existence of intention interpreted as guilt according to Spanish case law[3] as the company had to obtain consent from the data subjects;
  • The timeframe in which the infraction was committed, considering that the complaint was filed on January 2019;
  • The nature and amount of the damages in relation to the volume of users affected by the infraction;
  • The benefits obtained from the infraction in relation to the users affected by it; and,
  • The turnover of the company.

The sanction was reduced to 18.000 € – a 20%- as article 85 of Law 39/2015 of Common Administrative Procedure considers the possibility of a reduction of the fine whenever the perpetrator has accepted responsibility for the infraction thus resulting in the termination of the administrative procedure. Therefore, VUELING paid a total of 18.000€ on September 24th, 2019 bringing the procedure to an end.

The above sanction shall be considered as a precedent regarding the imposition of administrative sanctions by the Spanish DPA, in particular with regard to the failure to collect appropriate consent for the use of cookies on a website. The imposed sanction of 30.000 € is within the local limitation of minor administrative sanctions; and within the range established for sanctions under article 83 numerals 2 and 5 of the GDPR.

Contrast with CJEU ruling Planet49 Case C-673/17[4]

It is interesting to analyse the synergy between the ruling by the Court of Justice of the European Union concerning the consent of the data subject for the use of cookies, and the case at hand.  In the Planet 49 Case, the Advocate General indicates that the data subjects wishes must clearly result in an affirmative action. The use of a prepicked box may be considered as passive behaviour from a website user. In line with this, the selection of a button to participate in a lottery is not to be considered as sufficient consent for the storage of cookies.  Therefore, consent as required under articles 2 (f) and 5(3) of the Directive on Privacy and Electronic Communications (Directive 2002/58), in line with the requirements of Article 6 num. 1 lit (a) of the GDPR, is not validly constituted  for the storage of information or access to information stored in a website users terminal; whenever the website user must deselect a pre-ticked checkbox or refuse his or her consent.

In comparison, the legal reasoning in the VUELING sanction further supports the concept of consent for the use of cookies, as it establishes that implied consent for the use of cookies is also not a valid consent under the regulation, and further reinforces the implementation of an active consent method as described under Recital 32 GDPR[5].

Due to the complexities of acquiring appropriate consent for marketing purposes from website users, we look forward to seeing more interpretations by the Data Protection Authorities which further develop consent for the use, storage or access of cookies in terminal devices under the GDPR.

 

[1] https://www.aepd.es/resoluciones/PS-00300-2019_ORI.pdf

[2] https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758

[3] Sentencia de la Audiencia Nacional de 12/11/2007 recaída en el Recurso núm. 351/2006

[4]http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=8453384

[5] Recital 32 GDPR: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. 2This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. 3Silence, pre-ticked boxes or inactivity should not therefore constitute consent. 4Consent should cover all processing activities carried out for the same purpose or purposes. 5When the processing has multiple purposes, consent should be given for all of them. 6If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”