Italian Data Protection Authority Sanctioning Measure against Ediscom SpA

Italian DPA found Ediscom guilty of using misleading interfaces and unclear submission procedures, such as prompting users to provide consent for marketing despite already denying it.

The Italian DPA imposed sanctions on Ediscom for violating multiple provisions of the GDPR, including the accountability principle, conditions for consent, and privacy-by-design and privacy-by-default principles. Ediscom was found to frequently use misleading interfaces and unclear submission procedures. They would prompt users who had already denied consent for marketing communications to provide consent again through deceptive design elements. The link to continue without providing consent was placed outside the pop-up and in a smaller format, making it less visible than the accept button. The Garante also noted that Ediscom employed unclear communication models and registration processes, which violated guidelines on dark patterns. These actions by Ediscom were considered attempts to obtain consent despite the user's clear expression of intent and created confusion, potentially leading to consent given under misleading circumstances. Additionally, Ediscom failed to require email validation for certain services and used specially designed interfaces to collect excess data and bypass the will of the users. The Garante concluded that obtaining consent through such deceptive methods undermined the freedom and awareness of the individuals and was therefore unlawful.

Ediscom claimed good faith and implemented corrective measures, including adapting pop-up graphics, sending confirmation emails, reviewing system mechanisms, renegotiating contracts, and establishing precise checks on acquired databases.

Italian Data Protection Authority (Garante per la protezione dei dati personali) and Ediscom S.p.A.