Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Definition
Example
In 2015, UK sports retailer sportsdirect.com was found to be sneaking an unwanted magazine subscription into users' shopping baskets during the checkout process. The magazine cost an extra £1, and was added without users' explicit consent or knowledge. If users noticed it, they had to actively remove it from their basket if they did not wish to purchase it.
References
Sneak into basket (Brignull, 2010), bait and switch (Brignull, 2010), hidden costs (Brignull, 2010, Mathur et al., 2019), hidden legalese stipulations (Bösch et al, 2016), hidden subscription (Mathur et al., 2019), Drip pricing (FTC, 2022).
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Consent should be specific, informed, unambiguous, cover all processing activities, and not inferred from silence or pre-ticked boxes, must be clear, concise and non-disruptive.
Users must give informed and unambiguous consent and receive clear information about cookies, including processing purposes and data controller identity, according to the law.
Requires website operators to obtain user consent before storing or accessing information on the user's device through cookies or similar technologies.
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.
Outlines data processors' responsibilities, including implementing appropriate security measures, processing data based on controller instructions, and maintaining records of processing activities.
Requires informed consent for the use of data storage and retrieval devices, unless they are strictly necessary for service provision, and mandates clear information provision for such use.
Grants individuals the right to access their personal data and receive information on how it is processed.
Grants individuals the right to have their personal data erased under certain circumstances.
Gives individuals the right to object to the processing of their personal data in certain situations.
Requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Requires controllers to notify the supervisory authority without undue delay if a personal data breach is likely to result in a risk to the rights and freedoms of individuals.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.
Prohibits the use of automated calling and communication systems for unsolicited promotional purposes, except with the prior consent of the data subject or for legitimate interest of the data controller.
Prohibits deceptive acts or unfair practices related to the sale or advertisement of any merchandise.
Covers various aspects of consumer transactions, including the sale of goods and services, digital content, unfair contract terms, and remedies for faulty goods.
Aim to protect consumers against unfair standard terms in standard term contracts.
Prohibit traders across all sectors from using unfair commercial practices that hinder consumers from making informed purchasing decisions.
Establishes rules for processing personal data of children under the age of 16.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Outlines the appointment of a Data Protection Officer (DPO) for certain organizations.
Requires the appointment of a Data Protection Officer (DPO) in certain circumstances.
Outlines various unfair or deceptive trade practices, including misrepresenting goods or services, falsely claiming affiliations, quality, or characteristics, and using innuendo to mislead
Prohibits deceptive acts or practices that misrepresent or omit material facts.
Requires companies to obtain consumer's consent before charging their credit or debit cards for goods or services offered through a "negative option feature."
Prohibits deceptive practices, fraud, and misrepresentations in the sale or advertisement of merchandise.
Related cases
Undisclosed fines
€50,000 in fines
€35 million in fines
€50,000 in fines
3 months to comply
€2,000 in fines
€1200 in fines
€5,000 in fines
€2000 in fines
1 month to comply with GDPR requirements
€ 2250000 in fines
€6,000 in fines
€ 15.000 in fines
€ 1500 in fines
€5,000,000 in fines
€5 million in fines
€ 3000 in fines
€5,000 in fines
€ 16,729,600 in fines
$18 million settlement
$100 million settlement
$10 million in settlement
$2.2 million in settlement
€1,400,000 in fines
€730,000 in fines
€1,228 in fines
€15,000 in fines
€198,000 in fines
€ 200,000 in fines
€850,000 in fines
€60,000,000 in fines
€225,000,000 in fines
Reprimand issued
€50,000,000 in fines
Changes made to website
Changes made to website
€20,000 in fines
Warning issued
€1,200 in fines
€8,000 in fines
$1,800,000 in fines
$7.2 million in fines
$2.5 million in fines
$10 Million in fines
$85 million settlement
Pending