The Spanish Data Protection Authority (DPA) recently fined the airline Vueling for the way it configured cookies on its website.
The following analysis is based on a translation of the decision (see link).
Visitors to Vueling's website were greeted with a cookie notice that said that "We use cookies.... If you continue browsing, we consider that you accept its use. You can get more information about it by consulting our Cookies Policy." In the Cookies Policy, the visitor learned that they could control cookies via their web browser.
The DPA found that Vueling's practice violated Article 22.2 of the Law on Information Society Services (LSSI) which permits service providers to place cookies if (1) consent has been obtained, and (ii) prior to the user granting consent, the user had been provided with clear and complete information on the use of cookies, including the purposes of the data processing. The DPA appears to have found that a visitor was not provided with sufficient information about the cookies before they started to browse the website, and that therefore consent was not valid.
If your website relies on implicit consent for cookies, you need to change when cookies are placed on your computers. Explicit consent should be required before non-essential cookies are placed on a visitor's computer.
Image by Andrew Magill on Flickr licensed under CC BY 2.0.