On the heels of the Planet49 decision, the Spanish data protection authority AEPD has fined Vueling Airlines €30,000 (reduced to €18,000 for payment in full) for failure to provide a compliant cookie disclosure/consent under GDPR.

Key takeaways (pertaining to cookies that require consent under GDPR):

  • You need to provide the individual with the ability to reject cookies.
  • You should have a button or another mechanism (like a cookie management platform) that allows individuals to accept or reject cookies in a granular (not all-or-nothing) manner.
  • The formulation of “I accept” and then “see user settings” is not sufficient.
  • The formulation of “by continuing to browse this site” is not sufficient for indicating consent or rejection.
  • Browser settings indicating an opt out can complement the ability to reject (using a button or a mechanism) but are not sufficient in lieu of them.

Read the full ruling.