Data protection fine in Spain – over 30.000 Euro for an incorrect use of a cookie banner

The Spanish data protection authority has recently imposed a fine of 30,000 euro on the low-cost airline Vueling for a cookie banner that violates Spanish data protection law.
In addition to the ruling of the European Court of Justice in October, several decisions of the Spanish data protection authority (“AEPD”) have also been published in recent weeks. In addition, the current legislation on cookies has been interpreted by the Spanish data protection authority. The following format (“Vueling model”) is therefore considered acceptable by the authority:

  • No cookies when accessing the websiteNo cookies are initially set when the website is visited.*
  • Cookie banner: In the lower part of the website, a banner is displayed asking for the user’s consent.
  • Cookies on click: If the user clicks on the “Agree and continue surfing” button, all cookies are set and the banner disappears.
  • “Cookie Manager”: Alternatively, the user can click on a second button called (for example) “Manage Settings”. This opens a popup (the “Cookie Manager”) similar to the “Lufthansa Model”, which contains information about the individual cookies and allows individual cookies to be deselected or consent to be completely rejected.
  • No cookies when ignoring the banner: If the user ignores the banner and simply continues to use the website, the banner remains unchanged and no cookies are set.
  • Imprint and privacy policy: it is important that the banner does not cover the links to the imprint and privacy policy.

*Required cookies may be set in any case even before any decision of the user.