This case study is part of a mediation effort by the LINC on the design of interfaces. It translates in the form of a fictitious service decisions made by the CNIL in order to make them clear and accessible. It illustrates breaches of the General Data Protection Regulation (GDPR) identified by the CNIL in the design of user interfaces and user journeys, in order to avoid them in your products and services. The study does not address an entire user journey of a product or service and focuses on certain aspects. As such, it does not necessarily cover all the requirements of the GDPR.
[…] Fuzzy, a rising smartphone manufacturer, is launching its own operating system. By default, the company installs its native applications on the phones, some of which requiring the creation of a FuzzyConnect account. This account promises easy and intuitive management of the phone and of the associated services using a single login. By proposing to use only its services, the manufacturer aims to create a seamless experience of its services with a uniform user experience. Its ambition is to divert consumers from the more traditional players. Fuzzy is also banking on the transparency of the processing it implements and on giving users control of their data to attract and retain customers. All these measures are put in place to gain the trust of users.
However, after a rather convincing launch, the brand quickly attracted criticism as to its promises. Thus, an overall lack of transparency towards its users, sometimes leaving them particularly confused about the processing of their personal data and the protection of their privacy, has been criticised by many digital stakeholders. In this context, what are the practices implemented by Fuzzy that do not provide enough transparency on its processing, and more broadly, do not comply with the GDPR?