The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.
Excerpt
Our analysis
The Danish Data Protection Authority conducted a written inspection into JP/Politiken A/S' processing of personal data about visitors to www.eb.dk. JP/Politiken used a consent solution with three options - Necessary only, Customize Settings, and Accept all. However, visitors who selected Accept all did not receive adequate information about all processing purposes, as the purpose of preferences only appeared in the second layer of the consent solution. This means that visitors did not give informed consent, and the processing of personal data for statistical and marketing purposes contradicted the principle of legality, fairness, and transparency. While visitors could access the second layer of the consent solution by clicking on Customize Settings, the Danish Data Protection Authority found that this did not constitute voluntary consent because visitors did not have a free choice and control over their personal data.
As a result, since all requirements under the data protection regulation's Article 4(11) were not met, there was no valid consent to form the basis for processing personal data in accordance with the data protection regulation's Article 6(1)(a). The authority raised concerns that the use of colors in response buttons, especially a traffic light-like system, can influence visitors to make certain choices and constitute a form of nudging that is not compatible with the principle in Article 5(1). While the Authority generally allows design freedom in layout and content, it believes that the use of colors should not lead to opacity or unreasonable processing situations. In the specific case of the consent solution, the use of green for the "Accept all" button, according to the Authority, can bypass the data subject's ability to exercise an informed choice.
Outcome
The DPA found that the controller's website did not obtain informed consent as visitors who clicked on "Accept all" did not receive all processing information. The consent did not meet Article 4(11) GDPR, and the controller could not rely on Article 6(1)(a) GDPR. Additionally, using a traffic light-like colour and design scheme in the consent solution constituted a form of "guiding" that interfered with the user's ability to make an informed choice. As a result, the DPA reprimanded the controller for the identified violations.
Parties
JP/Politikens Hus A/S (Controller) and Danish DPA
Case number
2021-41-0149
Decision
Related deceptive patterns
There are numerous ways to interfere with the visual design of a page to hide, obscure or disguise information. Visual perception can be manipulated by using small, low contrast text. Comprehension can be manipulated by creating a chaotic or overwhelming interface. User's expectations can be violated by placing important information in styles or location they would not expect.
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
The disguised ads deceptive pattern works by deliberately blurring the line between actual content and advertising, creating confusion for users. These ads are often designed to look like interface elements, related articles, or other content that users might be interested in, making it more likely that users will click on them. By doing this, website owners may generate more revenue from ad impressions, and advertisers may benefit from increased clickthrough rates that may result in more sales.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Requires personal data to be processed lawfully, fairly, and transparently.