The case of Iberia highlights the negative consequences of using deceptive patterns in cookie consent mechanisms. Iberia used a cookie consent mechanism that did not provide users with a clear and granular choice to reject cookies. Instead, users were forced to accept cookies without the ability to reject them, in violation of Article 5(3) of the e-Privacy Directive and Article 22(2) of the Spanish law on cookies (LSSI). Moreover, the airline installed cookies before obtaining the user's consent, further violating the e-Privacy Directive. The directive requires that websites obtain the user's consent before placing cookies or similar technologies on their devices, and that the consent be obtained after providing the user with clear and comprehensive information about the purposes of the processing. Additionally, Iberia provided incomplete and misleading information about cookies on its website, which violated both the e-Privacy Directive and the Spanish law on cookies. The DPA found that the airline failed to inform users about third-party cookies and the storage period of the cookies, and did not provide clear information about the purposes of the cookies.