Deliberation of the Restricted Committee on Voodoo

€3,000,000 in fines

Excerpt

VOODOO was fined by the French DPA for not obtaining user consent for personalized advertising and for providing false information about user tracking behavior. Users were presented with a misleading choice of accepting or declining tracking, followed by a second window requiring acceptance of the provider's data protection policy.

Our analysis

The provider, VOODOO, presented the user with two windows - the first window was designed by APPLE, which sought consent from the user to let the provider track their activities on the provider's applications, and the second window was designed by the provider, which required the user to certify that they were over the age of sixteen and accept the provider's personal data protection policy. Regardless of the option the user chose in the first window, the provider presented the second window, which made it seem like the user had no choice but to accept the provider's personal data protection policy. This false hierarchy created a misleading impression that the provider's policy was superior to the user's preference. By doing so, the provider reduced the effectiveness of the choice expressed by the user to decline tracking in the first window. The provider still tracked the user by using a different cookie called IDFV to collect information for advertising purposes. The provider also collected other information specific to the user's device (such as system language, device model, etc.), which it used to provide non-personalised advertisements based on browsing habits. The actions of the provider violated Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive. According to this law, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. The DPA determined that the information provided by the controller in the second window did not correspond with the reality of the situation. Therefore, the provider did not inform the user in a clear and complete manner, which is a violation of the law.

Outcome

The provider was fined €3,000,000 by the French DPA, who took into account the number of individuals affected, the financial gains resulting from the breach, and the provider's turnover in 2020 and 2021 when justifying the amount. Alongside the penalty, the French DPA instructed the provider to obtain explicit consent from users for the use of IDFV in advertising, within three months of receiving the decision.

Parties

Voodoo (the controller) and CNIL

Case number

SAN-2022-026

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us