Planet 49 vs ECJ

Undisclosed fines

Excerpt

Planet49 ran a promotional lottery competition on its website. To play in the lottery, users were required to tick a checkbox to receive third-party advertising, otherwise they could not play. Also, the registration process included  a pre-ticked checkbox that would allow tracking of their online behaviour.

Our analysis

The Planet49 case involved the use of deceptive patterns to obtain users’ consent for the processing of their personal data. These deceptive patterns included pre-ticked checkboxes and unclear language in the consent request, which made it difficult for users to fully understand the implications of their consent. The use of pre-ticked checkboxes is a deceptive opt-out strategy that puts the burden on users to notice the checkbox and actively opt-out of the processing of their personal data. The result of this is that a reasonable user may be tricked into leaving the checkbox ticked, and inadvertently agreeing to something they did not intend. This is an example of the “sneaking” deceptive pattern. 
Furthermore, the unclear language used in the consent request made it difficult for users to fully understand what personal data would be processed, how it would be used, or who it would be shared with. This meant that users were not able to make informed decisions about whether to provide consent. The result of this is that a user may inadvertently provide consent to purposes they did not intend to; thereby effectively forcing users to provide consent in order to play in the lottery.
The GDPR provisions that address deceptive patterns in obtaining user consent for personal data processing include Article 4(11), which defines consent as a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Article 12 requires that information provided to users be concise, transparent, intelligible and easily accessible. Recital 32 of Regulation 2016/679 provides that individuals must actively agree to the processing of their data, and this should not be obscured by pre-selected options or vague or confusing language.

Outcome

The case was referred back to the German Federal Court of Justice, which subsequently upheld the CJEU’s ruling and ordered Planet49 to comply with GDPR requirements for obtaining valid consent. The company was also fined for non-compliance with GDPR requirements.

Parties

Planet49

Case number

Case C‑673/17

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us