The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.
Excerpt
Our analysis
In June 2019, the ADP/GBA investigated a company's webpage for potential violations of GDPR articles 6(1)(a), 12, and 13. The GBA submitted a report detailing several violations, including non-compliance with the GDPR and the national law implementing the ePrivacy Directive in the company's privacy statement and cookie policy. The policies did not provide transparent information on the data subject's rights and their exercise, which was a violation of Article 12 GDPR. Additionally, the company did not provide information on the legal basis for processing, data subject's rights, or retention period, which was in breach of Article 13 GDPR. Moreover, the company did not obtain consent for the use of cookies, and pre-ticked boxes were used to obtain consent for the installation of cookies. This practice was contrary to the national law implementing the ePrivacy Directive and Articles 6(1)(a) and 7 GDPR in light of Article 4(11) and Recital 32 GDPR. The company used deceptive patterns like preselection, forced action, and hidden information to obtain user consent, which violated GDPR laws.
Outcome
The company was found to have violated national laws implementing the ePrivacy Directive and the GDPR by the Belgian Data Protection Authority (GBA). The GBA issued a decision confirming the violations mentioned and imposed a fine of €15,000 as a consequence.
Parties
Anonymous Y website and GBA
Case number
12/2019
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.