The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.
Excerpt
Our analysis
The Belgian DPA began investigating Roularta Media Group's use of cookies on Belgian media websites. The investigation uncovered several potential violations of data protection laws, including the preselection of unnecessary cookies before the data subject's consent, the placement of statistical cookies without consent, pre-ticked boxes to grant consent for cookies from partners, hidden information in their privacy policy, unjustified retention periods for the storage of cookies, and the inability to revoke consent. The controller argued that statistical cookies are necessary for the business model of the website and do not process personal data, thus making GDPR inapplicable. They also argued that the personal data for statistical cookies was anonymised, and there were no adequate guidelines provided by the Belgian DPA for companies to comply with GDPR.
The DPA found that cookies can only be placed without prior consent when they are strictly necessary for communication transmission or explicitly requested by the user. The controller violated Article 6(1)(a) of GDPR by placing unnecessary cookies without prior consent. The DPA noted that statistical cookies also require prior consent and revealed IP-addresses to the controller, making them indirectly identifiable, and thus GDPR applicable. The pre-ticked boxes for cookies from partner companies cannot constitute lawful consent, violating Article 6(1)(a). The disclaimer for third-party cookies violated the principle of accountability, and the privacy policy contained false, incomplete, and insufficient information, violating Article 12(1). The controller also violated Article 5(1)(e) by not proactively defining criteria for the storage of cookies. The inability to withdraw consent violated Article 7(3). The DPA held that the absence of guidelines is not a valid excuse for violating data protection legislation, as it is the controller's responsibility to comply with the law. Numerous guidelines for compliance with GDPR already exist.
Outcome
The DPA determined that it is the responsibility of the controller to comply with the law, and the DPA noted that numerous guidelines for companies to ensure compliance with the GDPR already exist. As a result of a violation of data protection legislation, the DPA fined the controller €50,000 and ordered the controller to bring its processing of personal data into compliance with the GDPR within 3 months.
Parties
Executive-committee of the Belgian DPA (GBA) and Roularta Media Group
Case number
85/2022
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.