Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.
Excerpt
Our analysis
Orange România SA, a provider of mobile telecommunications services in Romania, was found to have violated Article 32 of the Romanian Data Protection Act by obtaining and storing copies of customers' identity documents without their express consent. The Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (national Romanian data protection authority) imposed an administrative penalty on Orange România and ordered the controller to destroy already existing copies of the IDs.
Orange România had requested consent for this data processing by providing customers with the option to refuse their consent in handwritten form. However, some of the contracts for mobile telecommunication services had a pre-ticked box signaling the consent to the storage of ID copies, while others did not. In order to refuse consent, customers had to fill out an additional form before the conclusion of the contract.
The DPA found that the use of pre-ticked boxes to signal consent to the storage of ID copies was a deceptive pattern that violated the principle of "freely given" consent. The DPA argued that "freely given consent" requires active behavior and a high degree of autonomy on the part of the data subject. Consent in the form of a preselected tick of a checkbox cannot imply active consent on the part of the data subject dealing with a physical document which he or she ultimately signs. The DPA also found that Orange România failed to ensure that the customers were sufficiently informed about the data processing, violating the principle of "informed consent".
Outcome
In response to the preliminary ruling concerns the interpretation of Article 2(h) of Directive 95/46/EC, CJEU held that Article 2(h) and Article 7(a) of Directive 95/46/EC and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 state that data controllers must prove that data subjects have given active and informed consent for their personal data to be processed. A telecommunications contract containing a clause stating that a data subject has given consent to the collection and storage of their identity document for identification purposes does not demonstrate valid consent if the box has been pre-ticked, the contract is misleading, or the data subject is required to complete an additional form to refuse consent.
Parties
Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (national Romanian data protection authority; ‘the ANSPDCP’ and Orange România SA
Case number
Case C‑61/19
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Imposes fines ranging from 10 million to 250 million ROL for contraventions involving the processing of personal data in breach of specific provisions.
Defines "data subject's consent" as freely given, specific, and informed indication of agreement to personal data processing.
Outlines the basic principles of fair and lawful personal data processing, including specified and legitimate purposes, adequacy, accuracy, and appropriate safeguards.
Sets out the legal grounds for processing personal data, including consent, contract, legal obligations, vital interests, public interest, and legitimate interests, while protecting the rights of the data subject.