UK DPA fined a car finance company for not providing a simple, clear and specific opt-out process for marketing, lack of information about data processing practices, and absence of opt-out option for individuals.
Excerpt
Our analysis
CCSL, a car finance company in the UK, was fined by the Information Commissioner's Office (ICO) for violating Regulation 22 of PECR by sending unsolicited direct marketing messages. Between 2018 and 2019, the ICO received nearly 200 complaints regarding the unsolicited electronic direct marketing text messages sent by CCSL. The ICO found that individuals did not have the option other than agreeing to receive direct marketing, making consent not freely given. Similarly, it was not specific as individuals could not select which party they agreed to receive marketing from, and it was not informed as the information provided was too vague. The company used a hard opt-out process, making it difficult for individuals to opt-out of receiving marketing messages. CCSL claimed to have gathered consent through an application form with no specific reference to direct marketing or purposes of contact from third parties, and there was no method for the individual to apply without consenting to being contacted. The company also failed to provide individuals with the opportunity to refuse or opt-out in the first place.
Outcome
CCSL was fined approximately €198,000 by the ICO, which considered several factors in determining the amount of the fine. These factors included the gravity of the violation, as well as whether the violation was committed intentionally or negligently, and the extent to which CCSL cooperated with the investigation.
Parties
Colour Car Sales Limited (CCSL) and ICO - UK DPA
Case number
Monetary Penalty Notice - 2619914
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Regulates the use of electronic communications for direct marketing purposes, including requirements for consent, opt-out options, and cookie disclosure.
Provides definitions of various terms used in the Privacy and Electronic Communications