Excerpt
The Belgian DPA held an organization liable for continued direct marketing practices despite objection by the complainant; and for failing to provide clear information about the right to object in the privacy policy.
Our analysis
A former donor of the organization lodged a complaint after receiving promotional materials despite objecting to the processing of his data for direct marketing purposes and requesting the organization to delete his data from its database. The dispute was taken to the litigation chamber, which concluded that the GDPR had been violated. The data controller continued to send direct marketing messages to the complainant despite being repeatedly told not to do so. Additionally, the organization did not have a legitimate basis for direct marketing, and the legitimate interests of the organization were outweighed by the rights of the complainant. The complainant had a reasonable expectation that his data would not be processed seven years after he made a donation. Furthermore, the data controller should have explicitly stated the right to object in clear and unambiguous language, as a mere mention in the privacy policy was deemed insufficient.
Outcome
Due to the organization's limited turnover and the persistence of their practices for over five years, the DPA determined that a fine of 1000 euros was appropriate.
Parties
X (the complainant) and Y (the defendant)
Case number
28/2020
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Grants individuals the right to have their personal data erased under certain circumstances.
Gives individuals the right to object to the processing of their personal data in certain situations.