In September 2019 a fine of €30,000 was imposed on VUELING AIRLINES, S.L. It had prevented website visitors from managing their cookies and those of third parties with an easily accessible tool.
Fulfilment of information obligations
- The information must be easily accessible, e.g. through a designated link in a prominent location.
- Information can be made available to users in a layered form. Especially, this form of presentation may be implemented in a Consent Management System.
- Information on cookies can also be made available to users on another medium (e.g. an offline information sheet).
- Consent can be obtained, for example, before downloading an app, when setting up an app, via a consent banner or via the user’s browser settings (the latter only under strict conditions).
- Cookies at the first layer must at least be grouped by their purpose (e.g. website analysis and marketing). This allows the user to make an informed choice. It is not recommended to enable individual selection of each cookie, as this leads to information overload.
- The consent must be verifiable.
- The revocation of consent must be as simple as giving it and must be possible at any time.
- Regarding minors under the age of 14, consent must be obtained from their legal guardian. According to the risk caused by the cookie, reasonable efforts must be taken to verify the declaring person.
- A website operator may obtain consent for several Internet sites at once, provided he gives sufficient information. Internet sites with deviating content (e.g. websites with content harmful to minors) must be clearly indicated.
- Users can also give their consent on another medium (e.g. offline registration card).
- In the opinion of the AEPD, at the latest every 24 months consent must be obtained anew.
An exception exists for cookies, which solely establish the connection between the terminal device and the network or provide a service expressly requested by the user. Therefore, no consent is required for the following cookie-based functions:
- Multimedia Playback;
- Website interface personalization (e.g. user selects language) and
- Social media plugins (very limited).
If personal data is processed using cookies, the information obligations in accordance with Art. 13 GDPR must nevertheless be fulfilled.