A fine of 30 thousand euros for the illegal use of cookies


The Spanish Data Protection Agency (AEPD) fined Vueling Airlines LS for € 30,000 for the illegal use of cookies. The company was accused of using optional cookies without the consent of users, and the policy of using cookies on the site does not provide an opportunity to refuse to use such cookies. The airline said that the user agrees to the use of cookies by continuing to use the site, and may disable their use in the browser settings, as well as withdraw consent to their use.

The regulator found that this type of consent is not explicit, and the possibility of prohibiting the use of cookies through browser settings does not mean compliance with the law. The fine of 30 thousand euros was determined taking into account the intentional nature of the company’s actions, the duration of the violation and the number of affected users. Such a decision of the regulator corresponds to a recent decision of the European Court of October 1, 2019, from which it follows that the use of cookies requires the active consent of the user, and consent in the form of a pre-set mark (“checkmark”) is not legal.

GDPR cookie requirements

The data protection agency, when making the decision, referred to the local data protection laws of Spain, but in fact the company's actions violate Art. 5 and 6 GDPR.

The following key requirements for the use of cookies according to the GDPR standards can be distinguished:
– the user should be able to refuse the use of cookies, which are not required for the functioning of the service, both before the start of their use and after;
– each type of cookie can be accepted or rejected independently of the others, without using one button with the consent to all types of cookies;
– consent to the use of cookies by continuing to use the service is not considered legal;
– an indication of the ability to disable cookies through browser settings can complement the mechanisms for refusing to use them, but is not considered separately as a full-fledged refusal mechanism;
– Each type of cookie should be described in terms of functionality and processing time.

Other cookie approaches

In Russia, the regulation of cookies under the Federal Law “On Personal Data” has its own characteristics. If we consider cookies to be personal data, then their use requires notification and consent of the user. This may adversely affect the conversion of the site or completely block the operation of individual analytics tools. In some cases, the use of cookies without consent and notice may be considered permissible. In any case, for each model of working with cookies, you can choose the legal mechanisms with the least impact on the effectiveness of the interaction between the site and the user.

The most progressive approach to working with cookies is an approach in which the site does not formally notify the user about their use, but explains the need for cookies and motivates to voluntarily consent to their use. Most users do not even realize that it is thanks to cookies that they can save the necessary data when closing the page of the site – completed forms or baskets with goods of online stores.

The approach in which sites shyly notify users of cookies and do not even try to request consent does not give advantages to either sites or users. Many site users have the opinion that the use of cookies on the site means the unfair use of personal data that users have to endure in order to use the service. And it is rarely obvious that cookies work not only for the benefit of the site owner, but also for the user.


Similar Posts

Leave a Reply