All Posts

October 30, 2019

Vueling Airlines Cookie Fine Demonstrates the Costs and Complications of GDPR Compliance

  GDPR
Written by David Corchado
Find me on:

Running afoul of privacy laws can cost your brand dearly. Consider the case of Vueling Airlines.

Vueling, the largest airline in Spain, was recently fined 30,000 euros by the Spanish Data Protection Authority for unlawful management of cookies on its website. The problem, as noted by the European Data Protection Board, is that users who visit the airline’s website lack the ability to configure the cookies that are installed on their computers – a big no-no under General Data Protection Regulation (GDPR) regulations.

The fine underscores how thorough GDPR law is and why businesses need a comprehensive approach to compliance. GDPR is a comprehensive law designed to protect privacy rights of European citizens by giving them more control over their personal data. GDPR affects any business that does business in the EU.

Why GDPR Law Is a Challenge for Businesses

GDPR compliance is complicated. A business can successfully comply with one element of GDPR but violate another. The European Data Protection Board points out that Vueling’s website got it right in some aspects of cookie law. Vueling informs users what cookies are and what cookies Vueling uses. Vueling also let users know that Vueling can use the information from cookies by itself or through third parties, and that Vueling might use third-party analytics cookies.

But according to the Spanish Data Protection Authority, Vueling fails to provide a cookie configuration panel that would allow the user to delete them in a granular way. Every cookie on the company’s site is configured in the user’s browser and begins tracking the user before the user accepts the cookie while browsing the site.

What Businesses Should Do

Businesses wanting to avoid the same fate as Vueling need to manage cookies carefully – for instance, pre-ticked boxes need to be unchecked for cookies as a user navigates the site. But cookie compliance is complicated. The UK Information Commissioner’s Office (ICO) provides an example of just how complicated consent rules can be under GDPR in this section of the ICO’s website. As you can see from just a brief glance, cookie compliance is not easy.

As we’ve discussed on our own blog, privacy laws in general are also rapidly evolving, making it harder for businesses to know when they’re compliant. As we reported, the ICO’s guidance on the use of cookies and similar technologies (cited above) were revised in July, which shows why businesses need to stay on top of evolving regulations lest they unwittingly break the law.

This revised guidance from July has further clarified how cookies should be used under GDPR. Investis Digital’s compliance team has been analyzing this new information and how it will impact your website’s requirements with relevant legislation. To bring a website into compliance with the new requirements, we believe that most websites that serve Europe audiences will require changes. These changes should include a fresh analysis of the existing cookie behavior on the website; and if a model of “implicit consent” is being used, changes should be made to the JavaScript to ensure that explicit consent is required before dropping a cookie.

One point is clear: privacy laws are here to stay. And they’re only going to increase in scope. For instance, in January 2020, California, one of the world’s largest economies, will enact its own version of GDPR, the California Consumer Privacy Act (CCPA), thus ushering in another complicated set of evolving requirements.

Investis Digital Can Help You

Investis Digital began as a European-based technology services provider focused on the FTSE 350. From the beginning, we have held ourselves accountable to the very strongest of data and privacy protection governance models because that was what our clients demanded. When Investis Digital rolls out a new service we think about how we can embed privacy-by-design. It is for this reason that Investis Digital does not store sensitive data; nor do we sell even benign data to third parties. The need for such high standards of security and governance has always been a requirement of our clients, and this level of accountability has never been more important than it is today.

For questions, contact Investis Digital.

Subscribe to Email Updates