Google faced liability for processing user data across services without affording users adequate choice options through its selection dialogue interfaces.
TikTok was held liable for nudging children towards privacy-intrusive settings using bold text in two pop-up notifications, hindering neutral and objective choices.
FTC enforcement action against Amazon relating to Amazon Prime subscription, including explicit mappings in the complaint to five types of "dark patterns"
Vermont held AdoreMe liable for hidden subscriptions, misrepresenting time-limited discounts, and obstructing subscription cancellations.
The New York Times was held liable for failing to clearly disclose automatic subscription renewal terms, leading to unauthorized charges and hidden subscription renewals.
HomeAdvisor was fined for misleading users about the cost of an optional one-month subscription and making false representations about its services.
Nintendo faces a class action lawsuit over allegedly compelling players to make in-game purchases by creating hurdles for non-buyers and employing fake limited-time offers.
Epic Games faced a fine from the FTC after allegations that the company employed deceptive techniques to manipulate players into making unintended purchases, while also allowing children to accumulate unauthorized charges without parental consent.
Italian DPA found Ediscom guilty of using misleading interfaces and unclear submission procedures, such as prompting users to provide consent for marketing despite already denying it.
Credit Karma was fined for using false "pre-approved" claims, to entice consumers into applying for credit card offers they often did not qualify for.
Grubhub fined for promises of "free" orders via subscription, unauthorised restaurant listings, and hidden fees.
TikTok was fined by the French DPA for implementing advertising identifiers without consent and for having an insufficiently informative cookie banner. The banner allowed users to accept all cookies with one click, making it difficult to refuse them, and some advertising cookies were placed even if a user did not consent.
VOODOO was fined by the French DPA for not obtaining user consent for personalized advertising and for providing false information about user tracking behavior. Users were presented with a misleading choice of accepting or declining tracking, followed by a second window requiring acceptance of the provider's data protection policy.
The French DPA fined Apple for implementing the ‘personalised ads’ setting as default without prior consent and making it hard to change the setting by involving multiple steps.
The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.
The Spanish DPA fined a hospital for obtaining consent through pre-ticked boxes for commercial communication and data processing and failure to timely provide a copy of the form.
Emma Matratzen GmbH is being accused for misleading consumers by creating an impression that their sale was time-limited with a countdown clock, despite starting another sale for new customers immediately after the "flash sale" ended.
The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.
The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.
Vonage was held liable by the court for charging customers without their consent, failure to provide required disclosures, and not offering simple mechanisms for customers to cancel their telephone services.
The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.
The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.
Google was held liable for deceptively tracking users' location data, even after they had disabled the "Location History" setting on their smartphones.
The DPA imposed a fine on a website as the web pages where personal data are requested, do not provide information on the company’s privacy policy.
Instacart was held liable for misrepresenting and omitting material facts concerning the default, variable service fee added to consumers' orders.
The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.
The Hungarian DPA fined a hotel booking service for sending direct marketing emails without valid legal basis, not obtaining separate consent for specific purposes, not expressly mentioning data processing purposes in the privacy policy.
Consumer Council takes legal action against Amazon over obstructive Amazon Prime cancellation process.
CNIL found Amazon guilty of depositing cookies without prior consent and the failure to inform users about depositing cookie or the means to refuse them.
The news service was fined by the Hungarian DPA where the controller's newsletter subscribers were automatically enrolled in electronic marketing and a prize draw without adequate information or the ability to provide specific consent.
Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.
The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.
The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.
TransUnion deceived consumers by falsely marketing credit scores and credit-related products, enrolling consumers without consent, lacking cancellation mechanisms, and providing misleading information about the products' costs, purpose, and protection of personal information.
Ed Napleton Automotive Group was held liable for imposing unauthorized "junk fees" by sneaking unwanted add-on products.
Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.
Noom Inc reached a settlement, having been accused of tricking customers into signing up for "risk-free" trial periods only to force them into automatic and costly renewals that were difficult to cancel.
The Belgian DPA fined the IAB Europe as information provided to the data subjects was too generic and incomplete regarding processing of data or their right to object to it.
The Spanish DPA found an online clothing store responsible for handling personal data without consent from the people involved, not having a privacy policy in place, and using unnecessary cookies without informing users properly through a cookie banner.
The Spanish DPA fined a online genealogy platform for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.
The Spanish DPA imposed a fine on an adult content website for violating data protection regulations. The website was penalised for using cookies without providing adequate information about their nature and purposes, as well as for having an outdated privacy policy that did not comply with the GDPR.
The French DPA found Facebook guilty for making it more complex for users to refuse cookies than to accept them, and for not providing users with clear information on refusal of cookies.
MyLife.com was held liable for luring consumers in hard-to-cancel subscription programs and deceptive billing practices.
Google LLC and Google Ireland Limited required users to go through several steps to refuse cookies, and for not providing a “refuse all” button in the first layer of the cookie notice.
The Norwegian DPA held the controller liable for direct marketing purposes to a data subject despite of having previously objected to such processing.
The ICO issued a penalty against Unite the Union for unsolicited direct marketing calls despite having explicitly opted out and by those who had not given informed valid consent to receive such calls.
The DPA held a public entity liable as the details were not easy to find on the website, and were only accessible in English, and not in any of the official languages.
The Danish Data Protection Authority issued a ruling against a company which was found to have placed cookies on their website without obtaining valid consent from data subjects. The pop-up cookie banner on the website was designed in a way that made it more difficult for users to reject the use of cookies than to accept them. The company was found to have failed to obtain valid consent from users for the placement of cookies on their devices.
The PREICO JURÍDICOS website was fined by the Spanish DPA for violating regulations regarding the use of cookies. The website was found to have used non-technical and non-necessary cookies without obtaining proper consent, failed to display an appropriate cookie banner, and provided insufficient information in its Cookies Policy.
We Buy Any Car Ltd, a car valuation company, was fined by the UK DPA for sending unsolicited marketing emails and SMS, with complainants unable to unsubscribe from them.
The Irish DPC held WhatsApp liable for failure to provide non-users with the necessary information and making it difficult to access by excessively spreading it out across several documents.
SOCIETE DU FIGARO was held responsible for allowing partners to deposit cookies on user terminals for advertising purposes without obtaining their consent or action. The company failed to provide users with effective means to refuse the deposit of cookies for advertising purposes, despite expressing their desire to do so.
Marbella Resorts was fined by the Spanish DPA for not having a data processing agreement with the processor and for violating the Spanish Law on cookies by placing unnecessary cookies without user consent.
Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.
The Spanish DPA (AEPD) imposed a fine on a radio station for not including a link to their cookie policy in the cookie banner and for placing non-essential cookies on user devices without obtaining prior consent.
UK DPA fined a car finance company for not providing a simple, clear and specific opt-out process for marketing, lack of information about data processing practices, and absence of opt-out option for individuals.
Czech DPA fined a broadcaster as the information it provided was not provided in an easily accessible manner, incomplete and outdated.
ABCmouse agreed to pay $10 million and change its marketing and billing practices after the FTC found it misled consumers about cancellations, withheld information and charged memberships without consent.
The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.
TikTok was fined by the Dutch DPA for violating GDPR Article 12(1) by providing its privacy policy solely in English to Dutch users, many of whom are children under the age of 16.
Abanca Corporación Bancaria was found to be using unnecessary cookies on its website without obtaining prior consent from users, leading to a fine by the Spanish Data Protection Agency (AEPD).
Caixabank Bank was fined by the Spanish DPA for using pre-ticked boxes to request consent for processing personal data, and charging customers who did not accept the terms a monthly maintenance fee of €5.
The Washpoint SL was fined by the Spanish DPA (AEPD) for two violations: first, the absence of a Privacy Policy on their website; and second, the absence of a reject button on the second layer of their Cookie Policy.
Predase Servicios Integrales SL was fined by the Spanish Data Protection Agency (AEPD) for breaching Article 13 of the GDPR. The company was found to be non-compliant as it did not have a privacy policy and failed to provide any information on data processing in the contact section of its website, which required users to provide their personal data.
The Belgian DPA fined the private company targeting pregnant mothers. The company through its marketing campaign collected personal data without informing clearly of the processing. Despite withdrawing consent, the complainant was contacted by third parties for its promotions wherein it technically made it difficult to withdraw consent and stop receiving unwanted phone calls from the defendant's partners.
The Spanish DPA (AEPD) fined ASOCAPAC for insufficient information provided on the first layer of the cookie banner and the missing "refuse all cookies" option in the cookie policy on their website.
The Austrian DPA found the respondent at fault for not providing information and notifications in languages that are relevant to the countries where the services are being offered, based on the nationality or place of residence of the data subject.
HH Invest SIA, an online store, was fined by the Latvian DPA (Datu valsts inspekcija) for insufficiently informing a data subject about the processing of their data.
The Danish DPA (Datatilsynet) found that a website's cookie consent mechanism was inadequate, as it only provided an "Allow all cookies" option, making continued use of the website equal to consent. The DPA clarified that this approach to marketing cookies was not in compliance with the law.
Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.
DoorDash was held liable for deceiving consumers by falsely portraying the impact of their tips on Dasher pay and encouraging tips under false pretenses.
Carrefour France has been fined by CNIL for violating GDPR and French data protection laws, including excessive data retention, unclear data processes, inadequate response to requests, security breaches, and unlawful use of cookies. They also sent prospecting emails despite objections and did not provide unsubscribe links.
The company was held liable for insufficient clarity in information, and the absence of a clear cookie policy or consent for the use of cookies.
Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.
BORJAMOTOR, S.A. received a complaint from a customer who expressed their objection to the company's processing of their personal data for direct marketing purposes via email. Despite this objection, the customer continued to receive emails with offers from the company, at a reduced frequency. BORJAMOTOR, S.A. was found to have used a deceptive pattern known as "hard to cancel", which made it difficult for customers to cancel their subscription to the company's marketing emails.
The Spanish DPA (AEPD) fined Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) for publishing illegal recordings on its website and dropping Google Analytics cookies without user consent. Additionally, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.
Miguel Ibáñez Bezanilla was fined by the Spanish DPA for multiple violations related to his website. These included the absence of a banner on cookies usage, insufficient information on the identity, features, and length of cookies, and the lack of an option to refuse them. The website was found to be technically unsafe, the privacy policy was not updated, and the provided cookie information was inadequate.
The Spanish Data Protection Authority (DPA) has fined an airline for violating cookie regulations on their website. The airline failed to give users a choice, provide sufficient information, and allow users to reject all cookies at once.
Add Event Staff, S.L. was warned by the Spanish DPA (AEPD) for not obtaining separate consent for processing activities related to job search and commercial purposes.
The Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes that enabled non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."
Iweb Internet Learning, S.L. was fined by the Spanish Data Protection Agency for failing to identify the data controller, not allowing separate consent for each purpose, and providing insufficient information on the use of cookies.
The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.
Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.
Effen Ads tricked users by sending spam emails that falsely claimed endorsements from news organizations and celebrities to promote fraudulent schemes.
The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.
ARANOW PACKAGING MACHINERY, S.L was fined by AEPD for violations related to its Cookie Policy. AEPD conducted an investigation that included an examination of the information provided in the Cookie Policy, including details on the use of cookies and data collected. AEPD also looked for any mechanism to reject all cookies, but found none.
The Belgian DPA held an organization liable for continued direct marketing practices despite objection by the complainant; and for failing to provide clear information about the right to object in the privacy policy.
LendEDU was fined for promoting products in exchange for a fee and posting fake positive reviews on its website.
Progressive Leasing was held liable for misleading consumers to pay more than the sticker price for items by hiding the cost behind a non-descript dropdown arrow
A controller was fined by the AEPD for inadequate cookie information on its website, including a lack of information on tracking cookies and a vague cookie policy without an easy uninstall tool.
The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.
The UODO imposed a fine against a company for preventing data subjects to withdraw consent easily and effectively their consent and to request the erasure of their personal data
Planet49 ran a promotional lottery competition on its website. To play in the lottery, users were required to tick a checkbox to receive third-party advertising, otherwise they could not play. Also, the registration process included a pre-ticked checkbox that would allow tracking of their online behaviour.
UrthBox engaged in offering a supposedly "free" trial without adequately disclosing hidden subscription charges and misrepresenting consumer reviews as independent.
Canary Click Consulting website was held liable for failure to provide information about the storage or deletion of their data and for not providing an option to reject cookies.
CMA held Microsoft liable for unclear upfront terms, difficulty in turning off auto-renewal, and customers unknowingly paying for unused services in their auto-renewing Xbox Live Gold and Game Pass memberships.
Just Landed, a Spanish entity, has been fined by the Spanish DPA for having a privacy policy written only in English and not providing a mechanism to accept, reject or manage cookies.
CNIL found Google liable for providing information in a fragmented and generic manner, and for using pre-ticked boxes for personalization settings of the account.
The Spanish Data Protection Authority issued a reprimand to a controller for failing to fulfill a data subject's request for deletion. Despite six separate attempts by the data subject, the controller did not act promptly, and neither their website nor app allowed for easy account cancellation.
Sage Auto coerced users to sign different contracts, charged for unauthrosied add-ons and faked its reviews.