Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.
Excerpt
Our analysis
Groupe Rossel, a Belgian press group, was found to have committed several violations by the Belgian DPA in their management of non-essential cookies on several of its websites. The DPA’s inspection service found that Groupe Rossel had used non-essential cookies before obtaining valid consent from website users, including cookies placed by third-party domains, violating Article 6(1)(a) of the GDPR. The company had also unlawfully obtained user consent by using the ‘further browsing’ technique [involves presenting visitors with a message that asks for their consent to use cookies or other tracking tools, but makes it seem like they have no other choice if they want to continue using the website. The message typically displays a button with text like “continue browsing” or “agree” to nudge visitors into giving consent] and coupling users’ expression of cookie consent with the choice to continue to the website, contrary to Articles 4(11) and 7(1) of the GDPR. Additionally, Groupe Rossel had placed further cookies on its websites without an appropriate justification after user consent had been withdrawn, violating Article 7(3) of the GDPR, which requires the user to provide consent through a clear and affirmative action.
The company’s cookie policy on relevant websites was also incomplete and not sufficiently accessible, in violation of Articles 12(1), 13, and 14 of the GDPR. The lack of essential information, such as the names of all third-party partners, prevented users from making an informed decision about their data. Groupe Rossel disputed some of the findings, including the placement of statistical and social-network cookies prior to consent, the qualification of ‘further browsing’ as consent, and the use of pre-ticked boxes to grant consent for third-party cookies. The company was also found to have unjustified retention periods for the storage of cookies, and revoking consent was impossible.
Outcome
Groupe Rossel was fined €50,000 by the Belgian DPA for violating GDPR, and was ordered to publish the decision on its website. The DPA also instructed the company to bring its personal data processing practices into compliance within three months.
Parties
Rossel Group (sudinfo), Rossel Group (le soir); Rossel & Cie
Case number
DOS-2020-02998
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.