The Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes that enabled non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."
Excerpt
Our analysis
The Spanish DPA imposed a fine on Vueling Airlines S.A. for violating Article 22.2 of the Spanish Law on Services of the Information Society and Electronic Commerce. The DPA found that Vueling's consent banner, which required users to accept non-essential cookies to purchase tickets, violated the law's requirement to obtain consent before installing non-essential cookies. Vueling also used deceptive patterns of preselection and forced action. While it was possible to purchase a ticket without checking the box for consent to receive ads, the box was still present and could mislead users into thinking that consent was required. Furthermore, Vueling's cookie policy allows users to revoke consent to non-essential cookies by unchecking pre-ticked boxes, but some third-party cookies were miscategorized as essential and could not be rejected. The use of pre-ticked boxes is not a valid basis for consent under the GDPR, and the LSSI also prohibits the use of such boxes for the installation of cookies. Additionally, the LSSI requires service providers to allow users to reject cookies at any time, which Vueling failed to do by miscategorizing some cookies as essential.
Outcome
The controller was fined €18,000 by the DPA for the violations, which included unauthorised processing of personal data and failure to implement adequate security measures. The initial fine of €30,000 was reduced by 40% because the controller accepted responsibility for the infractions and agreed to pay the fine before the final resolution of the sanctioning procedure.
Parties
D.A.A.A and Vueling Airlines S.A.
Case number
PS/00032/2019
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.