GDPR - Article 04(11)

Planet49 ran a promotional lottery competition on its website. To play in the lottery, users were required to tick a checkbox to receive third-party advertising, otherwise they could not play. Also, the registration process included  a pre-ticked checkbox that would allow tracking of their online behaviour.

Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.

Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.

The Danish Data Protection Authority issued a ruling against a company which was found to have placed cookies on their website without obtaining valid consent from data subjects. The pop-up cookie banner on the website was designed in a way that made it more difficult for users to reject the use of cookies than to accept them. The company was found to have failed to obtain valid consent from users for the placement of cookies on their devices.

The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.

The Danish DPA (Datatilsynet) found that a website's cookie consent mechanism was inadequate, as it only provided an "Allow all cookies" option, making continued use of the website equal to consent. The DPA clarified that this approach to marketing cookies was not in compliance with the law.

The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.

Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.

We Buy Any Car Ltd, a car valuation company, was fined by the UK DPA for sending unsolicited marketing emails and SMS, with complainants unable to unsubscribe from them.

The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.

UK DPA fined a car finance company for not providing a simple, clear and specific opt-out process for marketing, lack of information about data processing practices, and absence of opt-out option for individuals.

Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.

The French DPA found Facebook guilty for making it more complex for users to refuse cookies than to accept them, and for not providing users with clear information on refusal of cookies.

The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.

CNIL found Google liable for providing information in a fragmented and generic manner, and for using pre-ticked boxes for personalization settings of the account.

The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.

The French DPA fined Apple for implementing the ‘personalised ads’ setting as default without prior consent and making it hard to change the setting by involving multiple steps.

The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.