BORJAMOTOR, S.A. received a complaint from a customer who expressed their objection to the company's processing of their personal data for direct marketing purposes via email. Despite this objection, the customer continued to receive emails with offers from the company, at a reduced frequency. BORJAMOTOR, S.A. was found to have used a deceptive pattern known as "hard to cancel", which made it difficult for customers to cancel their subscription to the company's marketing emails.
The Netherlands ACM has fined World Ticket Center as it failed to include all mandatory costs in the base price of airfares, did not clearly disclose variable costs, and pre-selected optional extras such as travel and cancellation insurances.
Airbnb was held liable for not disclosing additional fees upfront and violating commercial laws regarding hidden costs and upfront disclosure of the total price of accommodation.
The Belgian DPA fined the private company targeting pregnant mothers. The company through its marketing campaign collected personal data without informing clearly of the processing. Despite withdrawing consent, the complainant was contacted by third parties for its promotions wherein it technically made it difficult to withdraw consent and stop receiving unwanted phone calls from the defendant's partners.
The Danish DPA (Datatilsynet) found that a website's cookie consent mechanism was inadequate, as it only provided an "Allow all cookies" option, making continued use of the website equal to consent. The DPA clarified that this approach to marketing cookies was not in compliance with the law.
Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.
The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.
The Austrian DPA found the respondent at fault for not providing information and notifications in languages that are relevant to the countries where the services are being offered, based on the nationality or place of residence of the data subject.
CMA held Microsoft liable for unclear upfront terms, difficulty in turning off auto-renewal, and customers unknowingly paying for unused services in their auto-renewing Xbox Live Gold and Game Pass memberships.
UK DPA fined a car finance company for not providing a simple, clear and specific opt-out process for marketing, lack of information about data processing practices, and absence of opt-out option for individuals.
Emma Matratzen GmbH is being accused for misleading consumers by creating an impression that their sale was time-limited with a countdown clock, despite starting another sale for new customers immediately after the "flash sale" ended.
Viagogo was held liable for failing to provide actual ticket prices, misleading customers about ticket availability, and imposing unfair deadlines for claiming refunds under their guarantee.
Czech DPA fined a broadcaster as the information it provided was not provided in an easily accessible manner, incomplete and outdated.
Add Event Staff, S.L. was warned by the Spanish DPA (AEPD) for not obtaining separate consent for processing activities related to job search and commercial purposes.
The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.
The Spanish DPA fined a hospital for obtaining consent through pre-ticked boxes for commercial communication and data processing and failure to timely provide a copy of the form.
SOCIETE DU FIGARO was held responsible for allowing partners to deposit cookies on user terminals for advertising purposes without obtaining their consent or action. The company failed to provide users with effective means to refuse the deposit of cookies for advertising purposes, despite expressing their desire to do so.
Canary Click Consulting website was held liable for failure to provide information about the storage or deletion of their data and for not providing an option to reject cookies.
Finnish DPA imposed a fine on a manufacturer for bundling consent for various purposes into one and due to lack of valid consent for the processing of personal data.
The Norwegian DPA held the controller liable for direct marketing purposes to a data subject despite of having previously objected to such processing.
The Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes that enabled non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."
Caixabank Bank was fined by the Spanish DPA for using pre-ticked boxes to request consent for processing personal data, and charging customers who did not accept the terms a monthly maintenance fee of €5.
The Spanish Data Protection Authority issued a reprimand to a controller for failing to fulfill a data subject's request for deletion. Despite six separate attempts by the data subject, the controller did not act promptly, and neither their website nor app allowed for easy account cancellation.
The Spanish Data Protection Authority (DPA) has fined an airline for violating cookie regulations on their website. The airline failed to give users a choice, provide sufficient information, and allow users to reject all cookies at once.
Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.
Abanca Corporación Bancaria was found to be using unnecessary cookies on its website without obtaining prior consent from users, leading to a fine by the Spanish Data Protection Agency (AEPD).
The Spanish DPA (AEPD) fined Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) for publishing illegal recordings on its website and dropping Google Analytics cookies without user consent. Additionally, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.
The DPA held a public entity liable as the details were not easy to find on the website, and were only accessible in English, and not in any of the official languages.
The French DPA fined Apple for implementing the ‘personalised ads’ setting as default without prior consent and making it hard to change the setting by involving multiple steps.
The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.
VOODOO was fined by the French DPA for not obtaining user consent for personalized advertising and for providing false information about user tracking behavior. Users were presented with a misleading choice of accepting or declining tracking, followed by a second window requiring acceptance of the provider's data protection policy.
TikTok was fined by the French DPA for implementing advertising identifiers without consent and for having an insufficiently informative cookie banner. The banner allowed users to accept all cookies with one click, making it difficult to refuse them, and some advertising cookies were placed even if a user did not consent.
The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.
EasyJet was held liable for inadequate travel insurance policy transparency and creating obstacles for refunds during online ticket purchases. Consumers were not given essential information to make an informed choice regarding insurance policies.
The Italian Competition Authority found that "Edates" made it challenging for consumers to cancel subscriptions, sent frequent payment reminders, and made unauthorized credit card withdrawals, violating consumer rights.
CMA found Expedia's practices potentially misleading to customers, including undisclosed fees, presenting some properties as discounted without indicating the real price, and better placement in search results for accommodations paying a specific fee.
The ICO issued a penalty against Unite the Union for unsolicited direct marketing calls despite having explicitly opted out and by those who had not given informed valid consent to receive such calls.
Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.
ABCmouse agreed to pay $10 million and change its marketing and billing practices after the FTC found it misled consumers about cancellations, withheld information and charged memberships without consent.
The FTC sued LendingClub and found the company liable for deducting hidden up-front fees from loans and failing to provide consumers with clear and conspicuous privacy notices. Despite claiming "no hidden fees," LendingClub was found to have charged borrowers hundreds or even thousands of dollars in undisclosed fees.
Vizio Inc. was found guilty of unauthorized tracking and failing to provide information before collecting and sharing their television viewing information.
Vonage was held liable by the court for charging customers without their consent, failure to provide required disclosures, and not offering simple mechanisms for customers to cancel their telephone services.
Noom Inc reached a settlement with FTC, accusing the app provider of tricking customers into signing up for "risk-free" trial periods only to force them into automatic and costly renewals that were difficult to cancel.
The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.
The Irish DPC held WhatsApp liable for failure to provide non-users with the necessary information and making it difficult to access by excessively spreading it out across several documents.
The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.
The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.
The Belgian DPA fined the IAB Europe as information provided to the data subjects was too generic and incomplete regarding processing of data or their right to object to it.
CNIL found Amazon guilty of depositing cookies without prior consent and the failure to inform users about depositing cookie or the means to refuse them.
The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.
The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.
Marbella Resorts was fined by the Spanish DPA for not having a data processing agreement with the processor and for violating the Spanish Law on cookies by placing unnecessary cookies without user consent.
CNIL found Google liable for providing information in a fragmented and generic manner, and for using pre-ticked boxes for personalization settings of the account.
The news service was fined by the Hungarian DPA where the controller's newsletter subscribers were automatically enrolled in electronic marketing and a prize draw without adequate information or the ability to provide specific consent.
The OFT held websites liable having unverified testimonials and failure to allow price comparison on its sites.
Adaptive Affinity was held liable as its consumers were being signed up to online credit score and discount reward membership schemes and being charged a monthly subscription fee for each service.
Planet49 ran a promotional lottery competition on its website. To play in the lottery, users were required to tick a checkbox to receive third-party advertising, otherwise they could not play. Also, the registration process included a pre-ticked checkbox that would allow tracking of their online behaviour.
Ryanair was held liable for not providing adequate information or giving misleading information to consumers acquiring the insurance policy covering the risk of travel cancellation.
HH Invest SIA, an online store, was fined by the Latvian DPA (Datu valsts inspekcija) for insufficiently informing a data subject about the processing of their data.
The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.
Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.
The UODO imposed a fine against a company for preventing data subjects to withdraw consent easily and effectively their consent and to request the erasure of their personal data
We Buy Any Car Ltd, a car valuation company, was fined by the UK DPA for sending unsolicited marketing emails and SMS, with complainants unable to unsubscribe from them.