EUR 30,000 for “a simple cookie banner”?!? – Spanish Supervisory Authority fines airline for non-compliance

The Spanish supervisory authority agencia española protección datos (“Supervisory Authority”) has issued a fine (the original Spanish document can be accessed here) against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.

In issuing the fine, the Supervisory Authority referred to Art. 22.2 of the Spanish Act of the Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información—“LSSI”) rather than the General Data Protection Regulation (“GDPR”). Art. 22.2 LSSI is based on the ePrivacy Directive, which is still in effect and is not replaced by the provisions of the GDPR—we note, however, that the ePrivacy Directive would likely be replaced by the provisions of the proposed ePrivacy Regulation, which is still being negotiated.

This fine highlights the European data protection authorities’ continued concern over the collection of personal information through cookies and other tracking technologies and should thus attract the attention of companies that provide websites to customers in the EU. The decision might set the standard for fines on the lack of consent for cookies and is in line with the rather conservative view of the European Court of Justice (“CJEU”) in its recent court decision, which explicitly referred to the GDPR (please also see our blog post on the CJEU’s decision).

What Happened?

The website of the airline contained a cookie banner, which stated:

“We use cookies to remember the user preferences, compile usage statistics, and provide the user with advertising based on the user’s browsing habits. If you continue to browse, we consider that you accept its use. You can obtain more information in this respect if you visit our Privacy Policy.”

Furthermore, the banner contained a button that stated “Accept and continue to browse”.

When accessing the Privacy Policy via the banner or a link at the bottom of the website, the Policy provided—inter alia—the following further information:

• The website uses local storage, cookies, beacons and pixel-tags—including those from third-party providers to perform evaluation and statistical calculations on anonymous data, as well as to guarantee the continuity of the service or to make improvements to the website;
• The data will not be processed for other purposes;
• Users can configure their browser to either accept or reject all cookies by default or to receive a warning that enables the user to decide at a time whether to reject or accept cookies and that the user may also use cookie-blocking tools such as “do not track” tools; and
• To withdraw the consent to the use of cookies, the user may at any time configure the browser in a way to prevent cookies from websites or third parties in general.

A cookie management system or configuration panel had not been provided.

The authority issued a fine of EUR 30,000 (which is the maximum possible fine under the LSSI for violation of Art. 22.2 LSSI). This, however, was reduced to a total of EUR 18,000 as the law provides for a reduction in cases in which the fined company accepts/acknowledges that they are responsible for the violation within the term provided to formulate their response (here 20%) as well as an additional reduction if the company pays the set fine before the proceedings resolution (here 20%).

Arguments for an Infringement

Art. 22.2 LSSI requires that the supplier of services may use data storage and retrieval devices in terminal equipment of the addressee, provided that the addressee has given their consent after they have been informed in a clear and comprehensive manner of the processing of personal data, in particular the purpose (consent for strictly necessary technology is exempted). The Supervisory Authority based the infringement of this article on the following reasons:

• The consent to transfer data to third parties via the cookies can only be provided implicitly, as the user is not provided with an option to (i) reject the installation of such cookies, or (ii) refuse or withdraw consent to the use of such cookies, except as provided through the browser settings.
• The configuration does not provide a cookie management system or configuration panel that would enable to reject the cookies in a granular way.

Therefore, the provided options in the banner are regarded insufficient to comply with statutory requirements.

Considerations Underlying the Amount of the Fine

The Supervisory Authority took the following aspects into consideration for the amount of the fine:

• Intentionality, as the company was responsible to comply with the provisions of the law;
• Duration of the infringement;
• Nature and amount of the damage caused in relation to the amount of users affected by the infringement;
• Benefit of the company gained by the infringement in relation to the amount of users affected; and
• Volume of the company’s turnover.

Takeaways

• It becomes more and more apparent that data protection authorities as well as the CJEU deem it necessary to provide for a cookie management option.
• It should be considered to provide for options to (i) enable all tracking tools, (ii) reject them all and (iii) provide a granular selections (i.e., by providing an option to select each cookie).
• Even if a company considers their market position as not belonging to the “prime target” of data protection authorities, companies should be sufficiently aware that they still may be subject to a fine due to complaints by a user. This current case had also been initiated by an individual’s complaint.