The Spanish Data Protection Authority (DPA) has fined an airline for violating cookie regulations on their website. The airline failed to give users a choice, provide sufficient information, and allow users to reject all cookies at once.
Excerpt
Our analysis
The case of Iberia highlights the negative consequences of using deceptive patterns in cookie consent mechanisms. Iberia used a cookie consent mechanism that did not provide users with a clear and granular choice to reject cookies. Instead, users were forced to accept cookies without the ability to reject them, in violation of Article 5(3) of the e-Privacy Directive and Article 22(2) of the Spanish law on cookies (LSSI). Moreover, the airline installed cookies before obtaining the user's consent, further violating the e-Privacy Directive. The directive requires that websites obtain the user's consent before placing cookies or similar technologies on their devices, and that the consent be obtained after providing the user with clear and comprehensive information about the purposes of the processing. Additionally, Iberia provided incomplete and misleading information about cookies on its website, which violated both the e-Privacy Directive and the Spanish law on cookies. The DPA found that the airline failed to inform users about third-party cookies and the storage period of the cookies, and did not provide clear information about the purposes of the cookies.
Outcome
The Spanish DPA imposed a €30,000 fine on an airline for violating cookie regulations by not giving users a choice, offering insufficient information, and not allowing users to reject all cookies at once on their website.
Parties
Iberia Lineas Aereas De Espana, S.A. Operadora Unipersonal and D.A.A.A (Complainant)
Case number
PS/00032/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires website operators to obtain user consent before storing or accessing information on the user's device through cookies or similar technologies.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.