Excerpt
The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.
Our analysis
Den Blå Avis (DBA), an online platform for second-hand goods, was found to be using deceptive patterns by the Danish DPA during their processing of personal data of website visitors. The DPA's investigation revealed that DBA had not obtained valid consent from visitors due to hidden information and bundling of consent. By clicking "accept," personal data was processed for multiple purposes, including marketing and personalisation, without clearly stating these purposes. Furthermore, DBA did not adequately inform visitors that their data would be shared with third parties, nor did they provide a link or menu in relation to the purpose for data sharing. The DPA assessed the second consent manager and found that the issues with the first CMP were still present, concluding that neither consent manager was adequate to obtain consent in accordance with Article 4(11) GDPR. The processing was therefore not in compliance with the principle of legality, reasonableness, and transparency outlined in Article 5(1)(a) GDPR.
Outcome
The DPA ultimately concluded that the data subject's interests were of greater importance than the controller's legitimate interest, and as a result, the controller could not rely on Article 6(1)(f) GDPR for processing data for statistical purposes. Despite criticizing the controller's actions, the DPA did not exercise any corrective powers under Article 58(2) GDPR.
Parties
Den Blå Avis' and Danish DPA
Case number
2020-431-0085
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.