Excerpt
Italian DPA found Ediscom guilty of using misleading interfaces and unclear submission procedures, such as prompting users to provide consent for marketing despite already denying it.
Our analysis
The Italian DPA imposed sanctions on Ediscom for violating multiple provisions of the GDPR, including the accountability principle, conditions for consent, and privacy-by-design and privacy-by-default principles. Ediscom was found to frequently use misleading interfaces and unclear submission procedures. They would prompt users who had already denied consent for marketing communications to provide consent again through deceptive design elements. The link to continue without providing consent was placed outside the pop-up and in a smaller format, making it less visible than the accept button. The Garante also noted that Ediscom employed unclear communication models and registration processes, which violated guidelines on dark patterns. These actions by Ediscom were considered attempts to obtain consent despite the user's clear expression of intent and created confusion, potentially leading to consent given under misleading circumstances. Additionally, Ediscom failed to require email validation for certain services and used specially designed interfaces to collect excess data and bypass the will of the users. The Garante concluded that obtaining consent through such deceptive methods undermined the freedom and awareness of the individuals and was therefore unlawful.
Outcome
Ediscom claimed good faith and implemented corrective measures, including adapting pop-up graphics, sending confirmation emails, reviewing system mechanisms, renegotiating contracts, and establishing precise checks on acquired databases.
Parties
Italian Data Protection Authority (Garante per la protezione dei dati personali) and Ediscom S.p.A.
Case number
9870014
Decision
Related deceptive patterns
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.