The Spanish supervisory authority agencia española protección datos (“Supervisory Authority”) has issued a fine (the original Spanish document can be accessed here) against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.
In issuing the fine, the Supervisory Authority referred to Art. 22.2 of the Spanish Act of the Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información—“LSSI”) rather than the General Data Protection Regulation (“GDPR”). Art. 22.2 LSSI is based on the ePrivacy Directive, which is still in effect and is not replaced by the provisions of the GDPR—we note, however, that the ePrivacy Directive would likely be replaced by the provisions of the proposed ePrivacy Regulation, which is still being negotiated.
This fine highlights the European data protection authorities’ continued concern over the collection of personal information through cookies and other tracking technologies and should thus attract the attention of companies that provide websites to customers in the EU. The decision might set the standard for fines on the lack of consent for cookies and is in line with the rather conservative view of the European Court of Justice (“CJEU”) in its recent court decision, which explicitly referred to the GDPR (please also see our blog post on the CJEU’s decision).
The website of the airline contained a cookie banner, which stated:
Furthermore, the banner contained a button that stated “Accept and continue to browse”.
A cookie management system or configuration panel had not been provided.
The authority issued a fine of EUR 30,000 (which is the maximum possible fine under the LSSI for violation of Art. 22.2 LSSI). This, however, was reduced to a total of EUR 18,000 as the law provides for a reduction in cases in which the fined company accepts/acknowledges that they are responsible for the violation within the term provided to formulate their response (here 20%) as well as an additional reduction if the company pays the set fine before the proceedings resolution (here 20%).
Arguments for an Infringement
Art. 22.2 LSSI requires that the supplier of services may use data storage and retrieval devices in terminal equipment of the addressee, provided that the addressee has given their consent after they have been informed in a clear and comprehensive manner of the processing of personal data, in particular the purpose (consent for strictly necessary technology is exempted). The Supervisory Authority based the infringement of this article on the following reasons:
Therefore, the provided options in the banner are regarded insufficient to comply with statutory requirements.
Considerations Underlying the Amount of the Fine
The Supervisory Authority took the following aspects into consideration for the amount of the fine: