The Spanish airline Vueling.com did not offer the ability to change cookie settings before executing them.
The Spanish Data Protection Agency has sanctioned the company because their website did not have the option to give explicit consent to install ‘cookies’ except for a generic message.
The Spanish Data Protection Agency (AEPD) has issued a sanctioning resolution to verify that on the website Vueling “consent to transfer data to third parties through cookies is implicit, not explicit, and thus violates Article 22.2 of the Law on Information Society Services (LSSI).
The ‘cookies’ are small files that the provider of an Internet site places on the computer of users and can access again when they return to visit the site, in order to facilitate navigation on the Internet or transactions, or to obtain information on the behavior of such users.
“At no time does it give the option of being able to oppose the installation of these on the device or any other ‘cookies’, but refers to the configuration of browsers to delete or block them, not offering the possibility of denying consent for the use of ‘cookies’ or withdrawing the loan, if not through the options of the browser,” states the agency in its resolution.
For the AEPD, the airline could “enable one mechanism or button to reject all ‘cookies’, another to enable all ‘cookies’ or do so in a granular way to manage preferences.
What happens is that, as it states, “does not provide a management system or panel configuration of cookies that allows the user to delete them in a granular way,” i.e. one by one in the same window or pop-up where the management of cookies is explained.
The agency considers that “the information offered on the tools provided by various browsers to configure cookies would be complementary to the previous one, but insufficient”.
To date, Vueling’s website has not yet changed its ‘cookies’ policy to comply with the Data Protection Act based on the LSSI.