The AEPD (Spanish Data Protection Agency) announced on October 21st a sanction of 30,000€ for illegal cookie practices against Iberia, the Spanish national airline.

The authority noted that Iberia provided an incomplete information in its first level cookies banner whilst its second level does not identify the third-party cookies deposited nor does it provide a device to refuse cookies.

The Spanish authority did not base its sanction on non-compliance with the RGPD, but on the Spanish law transposing Directive 2009/136/EC on the processing of personal data in the electronic communications sector, under which the maximum sanction is €30,000.

This is the second sanction of the Spanish Authority regarding cookies after that of August 6th, 2020, placing the issue of cookie compliance at the center of European national authorities’ concerns for the end of 2020.