Deceptive Patterns
‹ All enforcement EU & UK

Executive-committee of the Belgian DPA (GBA) v. Rossel & Cie

Jurisdiction
EU & UK
Authority
Belgian DPA (APD/GBA)
Date
16 Jun 2022
Case number
DOS-2020-02998
Outcome
€50,000 in fines

Case summary

Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.

Our analysis

Groupe Rossel, a Belgian press group, was found to have committed several violations by the Belgian DPA in their management of non-essential cookies on several of its websites. The DPA’s inspection service found that Groupe Rossel had used non-essential cookies before obtaining valid consent from website users, including cookies placed by third-party domains, violating Article 6(1)(a) of the GDPR. The company had also unlawfully obtained user consent by using the ‘further browsing’ technique [involves presenting visitors with a message that asks for their consent to use cookies or other tracking tools, but makes it seem like they have no other choice if they want to continue using the website. The message typically displays a button with text like “continue browsing” or “agree” to nudge visitors into giving consent] and coupling users’ expression of cookie consent with the choice to continue to the website, contrary to Articles 4(11) and 7(1) of the GDPR. Additionally, Groupe Rossel had placed further cookies on its websites without an appropriate justification after user consent had been withdrawn, violating Article 7(3) of the GDPR, which requires the user to provide consent through a clear and affirmative action.

The company’s cookie policy on relevant websites was also incomplete and not sufficiently accessible, in violation of Articles 12(1), 13, and 14 of the GDPR. The lack of essential information, such as the names of all third-party partners, prevented users from making an informed decision about their data. Groupe Rossel disputed some of the findings, including the placement of statistical and social-network cookies prior to consent, the qualification of ‘further browsing’ as consent, and the use of pre-ticked boxes to grant consent for third-party cookies. The company was also found to have unjustified retention periods for the storage of cookies, and revoking consent was impossible.

Outcome

Groupe Rossel was fined €50,000 by the Belgian DPA for violating GDPR, and was ordered to publish the decision on its website. The DPA also instructed the company to bring its personal data processing practices into compliance within three months.

Parties

Rossel Group (sudinfo), Rossel Group (le soir); Rossel & Cie

View the decision

Related deceptive patterns

PreselectionThe user is presented with a default option that has already been selected for them, in order to influence their decision-making. Forced actionThe user wants to do something, but they are required to do something else undesirable in return.ObstructionThe user is faced with barriers or hurdles, making it hard for them to complete their task or access information.SneakingThe user is drawn into a transaction on false pretences, because pertinent information is hidden or delayed from being presented to them.

Related laws

GDPR - Article 04(11)Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.GDPR - Article 06Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.GDPR - Article 07Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.GDPR - Article 12Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.GDPR - Article 13Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.GDPR - Article 14Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.