Excerpt
The Danish Data Protection Authority issued a ruling against a company which was found to have placed cookies on their website without obtaining valid consent from data subjects. The pop-up cookie banner on the website was designed in a way that made it more difficult for users to reject the use of cookies than to accept them. The company was found to have failed to obtain valid consent from users for the placement of cookies on their devices.
Our analysis
The Danish DPA investigated a complaint filed by a data subject regarding the controller's use of cookies on their website. The controller relied on consent as a legal basis, but the way they obtained consent violated legal regulations and utilised deceptive patterns of forced action and false hierarchy. The controller's initial consent request was through a pop-up box that only offered the option to “Close” or “Read more about cookies,” with no opt-out solution. This method did not provide data subjects with the option to consent to specific processing purposes, rendering it invalid under Article 6(1)(a) GDPR. In response to the investigation, the controller introduced a new method of requesting consent that included more information about processing and an opt-out solution. However, the DPA found that the design of the cookie banner nudged data subjects towards clicking “ACCEPT ALL” rather than “Accept,” making it easier to consent to cookie use than to reject it. Furthermore, the controller began cookie tracking before obtaining the data subject's consent, which the DPA criticised. Overall, the controller's use of deceptive patterns and failure to follow legal regulations regarding consent and opt-out solutions violated legal guidelines.
Outcome
The DPA expressed severe criticism about the processing activities based on this cookie banner. Although there was no fine, the company had to implement a new consent solution.
Parties
Alstrøm - Din Isenkræmmer ApS and Danish Data Protection Authority
Case number
2021-431-0125
Decision
Related deceptive patterns
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.