Caixabank Bank was fined by the Spanish DPA for using pre-ticked boxes to request consent for processing personal data, and charging customers who did not accept the terms a monthly maintenance fee of €5.
Excerpt
Our analysis
Customers of Caixabank, complained to the Spanish Data Protection Agency (AEPD) that the bank was using a deceptive pattern application of preselection and forced action to obtain consent for processing personal data from its customers. Caixabank had asked customers to accept consent terms through pre-ticked boxes. If the customers did not accept the terms, the bank would charge them a fee of €5 per month for maintaining their bank account. This approach of preselecting the consent checkbox and then linking it to a mandatory fee for the bank account's maintenance forced the customers to provide their consent. The bank claimed that the fee was not a charge but a necessary fare for providing banking services and was an essential element of the contract. The AEPD established that during a certain period, for new customers who chose a particular type of bank account, the consent acceptance fields were pre-ticked. In the AEPD's view, linking an exemption from fees to the provision of obtaining consent for the processing of personal data would mean that the consent was not given freely, since not giving consent entailed the payment of maintenance fees, which were detrimental to the data subject.
The AEPD also noted that the bank's arguments related to the offering of different banking products were not relevant in this case, since these other products had different requirements based on, customer's economic conditions, minimum purchases per month, insurance contributions, and holdings into investment funds. The AEPD also established that linking processing of personal data with a waiver of fees could not be considered analogous to a loyalty program. The AEPD held that the two legal bases for the lawful processing of personal data (ie. consent and performance of a contract), were merged or blurred, in violation of Article 7(4) GDPR. Overall, the AEPD found Caixabank's actions to be in violation of GDPR due to the deceptive pattern application of preselection and forced action used to obtain consent for processing personal data.
Outcome
The AEPD found that Caixabank had unlawfully merged two legal bases for processing personal data - consent and performance of a contract - which violated Article 7(4) GDPR. Consequently, the AEPD imposed a €2,000,000 fine against Caixabank for breaching Article 6 GDPR in connection with Article 7(4) GDPR. Caixabank had imposed conditions that required consent for the processing of personal data, for purposes that were not necessary for the performance of a contract. Additionally, Caixabank was fined €100,000 for using pre-ticked boxes to obtain this consent, which was in violation of Article 6(1) GDPR.
Parties
D.A.A.A. (claimant 1); by D.B.B.B. (claimant 2); D.C.C.C. (claimant 3), D.DDD (claimant 4); by D.E.E.E. (claimant 5) by D.F.F.F. (claimant 6), and D.GGG (claimant 7) and Caixabank, S.A.
Case number
PS/00226/2020
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.