The Spanish data protection authority ('AEPD') announced, on 21 October 2020, its decision, in proceeding PS/00032/2020, to fine Iberia, Líneas Aéreas de España, S.A. €30,000 for violating Article 22(2) of Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce. In particular, the decision highlights that Iberia failed to provide users with the option to reject cookies and instead required them to accept cookies if they wanted to continue browsing. In addition, the decision notes that Iberia claimed, among other things, that since June 2019 it has been working in the design of the solution for adapting the cookie policy to the requirements under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'), while also following the AEPD's recommendations under the Guide on Cookies ('the Guide') from November 2019. However, the decision highlights that the AEPD found that Iberia's website's cookie banner did not conform to the Guide's recommendations, as the information provided in its first layer was not concise, transparent, and intelligible, as well as that the second layer did not offer the option to reject all cookies and did not identify third party cookies, among others.

You can read the decision, only available in Spanish, here.