Spanish Data Protection Agency () fined the airline for 30 thousand euros for the illegal use of cookies. The company has been accused of using optional cookies without the consent of users, and the site's cookie policy does not provide for the ability to refuse the use of such cookies. The airline also stated that the user consents to the use of cookies by continuing to use the site, and can disable their use in the browser settings, as well as withdraw consent to their use.
The regulator has established that this type of consent is not explicit, and the ability to disable the use of cookies through the browser settings does not mean that the requirements of the law are met. The fine of 30 euros was determined taking into account the intentional nature of the company's actions, the duration of the violation and the number of affected users. This decision of the regulator is in line with the recent dated October 1, 2019, from which it follows that the use of cookies requires the active consent of the user, and consent in the form of a pre-set mark (βtickβ) is not legal.
Requirements for the use of cookies under the GDPR
The data protection agency, in making its decision, referred to the Spanish local laws on data protection, but in fact the company's actions violate art. 5 and 6 GDPR.
The following key requirements for the use of cookies under the GDPR can be distinguished:
- the user should be able to refuse the use of cookies that are not required for the operation of the service, both before and after their use;
- each type of cookie can be accepted or rejected independently of the others, without using a single button with consent to all types of cookies;
- consent to the use of cookies by continuing to use the service is not considered legal;
- an indication of the ability to disable cookies through the browser settings may complement the mechanisms for opting out of their use, but is not considered a full-fledged opt-out mechanism in isolation;
- each type of cookie should be described in terms of functionality and processing time.
Other approaches to working with cookies
In Russia, the regulation of cookies under the Federal Law βOn Personal Dataβ has its own characteristics. If cookies are considered personal data, then notification and consent of the user is required for their use. This may adversely affect the site conversion or completely block the operation of individual analytics tools. In some cases, it may be considered acceptable to use cookies without consent and notification. In any case, for each model of working with cookies, it is possible to select legal mechanisms with the least impact on the effectiveness of the interaction between the site and the user.
The most progressive approach to working with cookies is the approach in which the site does not formally notify the user about their use, but explains the need for cookies and motivates them to voluntarily agree to their use. Most users do not even realize that it is thanks to cookies that they can save the necessary data when closing the site page - filled out forms or baskets with goods from online stores.
An approach where sites shyly notify users of cookies and don't even try to ask for consent does not benefit either sites or users. Many site users have the opinion that the use of cookies on the site means the unfair use of personal data that users are forced to endure in order to use the service. And it is rarely obvious that cookies work for the benefit of not only the site owner, but also the user himself.
Source: habr.com