Anonymous (complainant) v. DGU Erhverv A / S

Redesigning consent mechanism

Excerpt

The Danish DPA (Datatilsynet) found that a website's cookie consent mechanism was inadequate, as it only provided an "Allow all cookies" option, making continued use of the website equal to consent. The DPA clarified that this approach to marketing cookies was not in compliance with the law.

Our analysis

The case involves a website that failed to gather valid consent for processing activities related to marketing cookies. The website's cookie consent mechanism only displayed an "Allow all cookies" button, and users who wanted to refrain from giving consent had no other option. The website operator interpreted the continued use of the website as consenting to the marketing cookies. However, the Danish DPA (Datatilsynet) held that this was illegal, as consent presupposes voluntariness, which was clearly not present in this case. The DPA also emphasised that consent must be an unequivocal expression of will on the part of the data subject, requiring active action and not merely inactivity. The website visitors were not free to choose in a granular fashion between different processing purposes, such as statistics or marketing, which violated the requirement of granularity. The DPA also referred to Recital 32 GDPR and paragraph 62 of the CJEU Planet49 case (C-673/17), which explicitly state that silence, pre-ticked boxes, or inactivity may not constitute consent. The DPA recommended that the controller reconsider the design of its new consent mechanism, as the current wording was not transparent and easy to understand for website visitors. The text of the consent should only include the processing(s) covered by the consent, and the data controller should be aware of the relevant processing basis for the personal data in the consent text. The new consent mechanism also made it unclear to the website visitor which processing basis(s) actually formed the basis for the website's processing of personal data in relation to statistics and marketing. The DPA encouraged the controller to make the consent mechanism clearer for the website visitor.

Outcome

The Data Inspectorate (Datatilsynet) has reviewed a new consent solution implemented by a data controller and found the wording used in the consent text to be non-transparent and difficult to understand for website visitors. The consent text should only include the processing covered by the consent, and the data controller should consider the relevant processing basis while designing the consent text. The Datatilsynet also notes that the new consent solution allows website visitors to object to the website's legitimate interests in relation to statistics and marketing by clicking on "cookie settings." However, this setup makes it unclear to the website visitor which processing basis(s) actually form the basis for the website's processing of personal data in relation to statistics and marketing. Therefore, the DPA encourages the controller to reconsider the design of its new consent mechanism.

Parties

Anonymous Complainant and DGU Erhverv A/S

Case number

2020-31-3354

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us