Excerpt
Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.
Our analysis
The ICO (Information Commissioner's Office) found that the privacy policy of the organisation that collected the personal data was not specific enough. While the policy stated that an individual's personal data would be shared with third parties for marketing purposes, it did not clearly name the third party recipients. This lack of specificity can lead to confusion and concern among individuals whose personal data is being shared which can be classified into the deceptive pattern of hidden and misleading information. The ICO emphasised the importance of clear and transparent communication when it comes to the handling of personal data, and recommended that the organisation update their a policy accordingly. It is essential for organisations to be clear about how they collect, use, and share personal data to foster trust and maintain their reputation.
The ICO emphasises the requirements for consent, which must be “specific and informed”. It clarifies that consent for purchased “consented” data is valid only if the purchaser is identified at the time the data is collected (i.e., when consent is given). Therefore, EML could not have lawfully purchased the data based on valid consent, as it was not identified as a potential buyer to individuals. The use of these deceptive patterns meant that individuals were not fully aware of the nature of the data collection and how their personal data would be used for marketing purposes. This violated several provisions of data protection regulations, including Article 5(1)(a) of the GDPR, which requires that personal data shall be processed lawfully, fairly and transparently.
Outcome
Emailmovers Limited must comply with ICO's requirements within three months, which include notifying individuals about the processing of their personal data, ceasing the processing of data for those who were not informed, and keeping appropriate records of consent. Failure to comply may result in a penalty of up to £17.5 million or 4% of the annual worldwide turnover.
Parties
Emailmovers Limited
Case number
Enforcement Notice - 2620027
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires personal data to be processed lawfully, fairly, and transparently.