Excerpt
The Belgian DPA fined the private company targeting pregnant mothers. The company through its marketing campaign collected personal data without informing clearly of the processing. Despite withdrawing consent, the complainant was contacted by third parties for its promotions wherein it technically made it difficult to withdraw consent and stop receiving unwanted phone calls from the defendant's partners.
Our analysis
The defendant is a marketing company that distributes pink boxes which target pregnant mothers that include samples, special offers and information sheets for future parents. This personal data was then transferred by the defendant to third parties in exchange for the aforementioned offers and samples. But the defendant failed to provide the complainant with clear and transparent information about the processing of her personal data, including the transfer of data to third parties. Additionally, the complainant was able to easily enter into an agreement with the defendant by filling out a registration form and receiving a pink box, but found it difficult to withdraw her consent and stop receiving unwanted phone calls from the defendant's partners. The case deals with a classic example of hard to cancel where it is harder to opt out from the commercials, as when The complainant subsequently decided to withdraw her consent, even after having exercised her right, the complainant still received unwanted phone calls from partners of the defendant in connection with certain promotions. The defendant had breached Article 5 of the GDPR as well as article 13 due to the lack of transparency as the defendant was renting and/or selling personal data for commercial purposes via its partners without informing the consumers about these processings in a clear and comprehensible manner. The defendant also violated Article 6 of the GDPR, as there could not have been a free, explicit, informed, and unambiguous permission granted by the customers as there was in this case: a) Clearly not informed; b) - not specific (because accepting the boxes required consent for the transfer of data); c) - not given voluntarily (as the lack of consent involved the loss of some benefits).
Outcome
The company was fined €50,000 by the Belgian DPA. The severity of the breach, the nature of the data collected (including information about children), and the large number of individuals affected (21.10% of the Belgian population) were all taken into consideration by the Litigation Chamber of the BE DPA when imposing the fine. Additionally, the company has been ordered to comply with the GDPR within six months.
Parties
Anonymous Complainant and National Service for the Promotion of Childcare Products
Case number
04/2021
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.