On October 17, 2019, The Spanish Data Protection Authority (DPA) served a 30,000 € fine on the airline company Vueling for failing to provide visitors of its website with a cookies management mechanism that allows them to refuse or to delete cookies in a granular manner.
According to the DPA, Vueling provided visitors with comprehensive information about the type of cookies that were dropped on its website and their purposes. However, it only informed users that they could configure their browser or use the “do not track” blocking tool to refuse cookies at any time.
The Spanish DPA considered that relying on browser setting only was in breach of the Spanish Law on Information Society Services and Electronic Commerce that requires visitor’s consent and the provision of clear and complete information before dropping cookies on their terminal.
The DPA expected Vueling to provide users with a reject all cookies mechanism and an additional mechanism enabling them to delete each type of cookies in a granular way.
Though the fine is not yet very high, it is recommended not relying on browser setting as a cookie management tool as the data protection authorities could get tougher in the future.
This post is also available in fr_FR.