Excerpt
Canary Click Consulting website was held liable for failure to provide information about the storage or deletion of their data and for not providing an option to reject cookies.
Our analysis
Canary Click Consulting received complaints from 10 individuals who alleged that the company promised to provide official certificates for a fee but only provided instructions on how to obtain them after the individuals entered personal data and paid the fee. Additionally, the company failed to provide information about the storage or deletion of personal data once a refund was requested. The AEPD investigated the matter and found that URL 1's privacy policy stated that personal data would only be used for "strictly necessary purposes" but also allowed for marketing purposes without an option for users to reject cookies. URLs 2, 3, and 4 did not have a cookie banner or a mechanism for users to reject cookies. Instead, users were directed to "configure the browser on their terminal equipment" to delete cookies. The dispute was whether URLs 1-4 were in violation of the GDPR. The AEPD held that Canary Click Consulting breached European and Spanish data protection laws. URL 1 breached Article 7 of the GDPR because users had to give their consent "generically" for all processing purposes, without the ability to withdraw consent for specific purposes like marketing. As a result, the AEPD issued a warning to Canary Click Consulting and ordered them to bring URL 1 and their privacy policy in line with Article 6(1)(a) of the GDPR within a month.
Outcome
Canary Click was fined €8,000 by the AEPD for violating Article 22(2) of the Law 34/2002 (LSSI), which implements the e-Privacy Directive in Spain. The AEPD concluded that URLs 1-4 breached this article, and the company was fined €2,000 for each URL.
Parties
D.A.A.A (Data Subject) and Canary Click Consulting website
Case number
PS/00385/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.