Excerpt
The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.
Our analysis
The Irish Data Protection Commission (DPC) found that Instagram's default account settings for child users were set to public, meaning that anyone on the app or website, regardless of whether they were registered users or not, could view the contents of the account. This was in violation of Article 12(1) of GDPR because Instagram did not clearly and transparently inform child users of the purpose of public-by-default processing. Although Meta (Instagram's parent company) had informed child users of this setting in their 2018 and 2020 Data Policies, the DPC deemed this insufficient.
The European Data Protection Board (EDPB) agreed with the DPC's assessment that the interests pursued by Instagram were not specific enough, as the controller had mentioned them in vague language. The EDPB also criticized the DPC for not conducting a better evaluation of the existence of the legitimate interest(s) pursued by Instagram. Furthermore, Instagram failed to provide child users with information on the purposes of processing and the categories of recipients of personal data using clear and plain language, which was required under Articles 13(1)(c) and (e) of GDPR.
Outcome
Following the adoption of a binding decision by the European Data Protection Board (EDPB), the Irish Data Protection Commission (DPC) fined Meta €405,000,000 for processing contact information on children's business accounts without legal grounds and for having default settings set to "public" for child users.
Parties
Meta Platforms Ireland Limited, and Instagram Social Media Network and DPC through European Data Protection Board
Case number
IN-20-7-4
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.