Excerpt
VOODOO was fined by the French DPA for not obtaining user consent for personalized advertising and for providing false information about user tracking behavior. Users were presented with a misleading choice of accepting or declining tracking, followed by a second window requiring acceptance of the provider's data protection policy.
Our analysis
The provider, VOODOO, presented the user with two windows - the first window was designed by APPLE, which sought consent from the user to let the provider track their activities on the provider's applications, and the second window was designed by the provider, which required the user to certify that they were over the age of sixteen and accept the provider's personal data protection policy. Regardless of the option the user chose in the first window, the provider presented the second window, which made it seem like the user had no choice but to accept the provider's personal data protection policy. This false hierarchy created a misleading impression that the provider's policy was superior to the user's preference. By doing so, the provider reduced the effectiveness of the choice expressed by the user to decline tracking in the first window. The provider still tracked the user by using a different cookie called IDFV to collect information for advertising purposes. The provider also collected other information specific to the user's device (such as system language, device model, etc.), which it used to provide non-personalised advertisements based on browsing habits. The actions of the provider violated Article 82 of the French Data Protection Act, which transposes Article 5(3) of the ePrivacy Directive. According to this law, any subscriber or user of an electronic communications service must be informed in a clear and complete manner. The DPA determined that the information provided by the controller in the second window did not correspond with the reality of the situation. Therefore, the provider did not inform the user in a clear and complete manner, which is a violation of the law.
Outcome
The provider was fined €3,000,000 by the French DPA, who took into account the number of individuals affected, the financial gains resulting from the breach, and the provider's turnover in 2020 and 2021 when justifying the amount. Alongside the penalty, the French DPA instructed the provider to obtain explicit consent from users for the use of IDFV in advertising, within three months of receiving the decision.
Parties
Voodoo (the controller) and CNIL
Case number
SAN-2022-026
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Related laws
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.
Requires website operators to obtain user consent before storing or accessing information on the user's device through cookies or similar technologies.