Legal cases

Businesses that use deceptive patterns (aka 'dark patterns') often get hit with big fines and penalties.

Filters
Clear all
Showing 0 of 100
Administrative or judicial authority
Clear
Jurisdiction
Clear
Search
Clear
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Remove
Filters

Google faced liability for processing user data across services without affording users adequate choice options through its selection dialogue interfaces.

Changes made to consent choices interface
|
EU & UK
|
Federal Cartel Office (Bundeskartellamt)
|
October 5, 2023

TikTok was held liable for nudging children towards privacy-intrusive settings using bold text in two pop-up notifications, hindering neutral and objective choices.

€345 million in fines
|
EU & UK
|
Irish Data Protection Commission (DPC)
|
September 1, 2023

Vermont was held liable for hidden subscriptions, misrepresenting time-limited discounts, and obstructing subscription cancellations.

$2.35 million multistate settlement
|
USA
|
State of Vermont Superior Court Washington Unit
|
June 15, 2023

The New York Times was held liable for failing to clearly disclose automatic subscription renewal terms, leading to unauthorized charges and hidden subscription renewals.

Motion to Dismiss Denied
|
USA
|
United States District Court for the Southern District of New York (Manahattan County)
|
May 23, 2023

HomeAdvisor was fined for misleading users about the cost of an optional one-month subscription and making false representations about its services.

$7.2 million in fines
|
USA
|
Federal Trade Commission
|
April 20, 2023

Epic Games faced a fine from the FTC after allegations that the company employed deceptive techniques to manipulate players into making unintended purchases, while also allowing children to accumulate unauthorized charges without parental consent.

$245 million in fines
|
USA
|
Federal Trade Commission
|
March 13, 2023

Italian DPA found Ediscom guilty of using misleading interfaces and unclear submission procedures, such as prompting users to provide consent for marketing despite already denying it.

€300,000 in fines
|
EU & UK
|
Italian DPA (GPDP)
|
February 23, 2023

Credit Karma was fined for using false "pre-approved" claims, to entice consumers into applying for credit card offers they often did not qualify for.

$3 million in fines
|
USA
|
Federal Trade Commission
|
January 23, 2023

Grubhub fined for promises of "free" orders via subscription, unauthorised restaurant listings, and hidden fees.

$3.5 million in fines
|
USA
|
Superior Court of the District of Columbia Civil Division
|
December 30, 2022

TikTok was fined by the French DPA for implementing advertising identifiers without consent and for having an insufficiently informative cookie banner. The banner allowed users to accept all cookies with one click, making it difficult to refuse them, and some advertising cookies were placed even if a user did not consent.

€5,000,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
December 29, 2022

VOODOO was fined by the French DPA for not obtaining user consent for personalized advertising and for providing false information about user tracking behavior. Users were presented with a misleading choice of accepting or declining tracking, followed by a second window requiring acceptance of the provider's data protection policy.

€3,000,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
December 29, 2022

The French DPA fined Apple for implementing the ‘personalised ads’ setting as default without prior consent and making it hard to change the setting by involving multiple steps.

€8,000,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
December 29, 2022

The French DPA fined Microsoft for installing non-essential cookies without valid consent and making refusal of cookies harder than accepting them by placing them on a second layer.

€60,000,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
December 19, 2022

The Spanish DPA fined a hospital for obtaining consent through pre-ticked boxes for commercial communication and data processing and failure to timely provide a copy of the form. 

€16,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
December 15, 2022

Emma Matratzen GmbH is being accused for misleading consumers by creating an impression that their sale was time-limited with a countdown clock, despite starting another sale for new customers immediately after the "flash sale" ended.

Ongoing case
|
EU & UK
|
UK Competition and Markets Authority (CMA)
|
November 30, 2022

The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.

Reprimand issued
|
EU & UK
|
Belgian DPA (APD/GBA)
|
November 16, 2022

The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.

Final decision pending
|
EU & UK
|
Irish Data Protection Commission (DPC)
|
November 7, 2022

Vonage was held liable by the court for charging customers without their consent, failure to provide required disclosures, and not offering simple mechanisms for customers to cancel their telephone services.

$100 million settlement
|
USA
|
US District Court for the District of New Jersey
|
November 3, 2022

The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.

Reprimand issued
|
EU & UK
|
Danish DPA (DT)
|
October 27, 2022

The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.

€1,400,000 in fines
|
EU & UK
|
Italian DPA (GPDP)
|
October 20, 2022

Google was held liable for deceptively tracking users' location data, even after they had disabled the "Location History" setting on their smartphones.

$85 million settlement
|
USA
|
Superior Court of the State of Arizona - County of Maricopa
|
October 3, 2022

The DPA imposed a fine on a website as the web pages where personal data are requested, do not provide information on the company’s privacy policy.

€1,200 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
August 26, 2022

Instacart was held liable for misrepresenting and omitting material facts concerning the default, variable service fee added to consumers' orders.

$1,800,000 in fines
|
USA
|
Superior Court of the District of Columbia, Civil Division
|
August 19, 2022

The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.

€405,000,000 in fines
|
EU & UK
|
European Data Protection Board (EDPB)
|
July 28, 2022

The Hungarian DPA fined a hotel booking service for sending direct marketing emails without valid legal basis, not obtaining separate consent for specific purposes, not expressly mentioning data processing purposes in the privacy policy.

€1,228 in fines
|
EU & UK
|
Hungarian DPA (NAIH)
|
July 11, 2022

Consumer Council takes legal action against Amazon over obstructive Amazon Prime cancellation process.

Changes made to cancellation practices
|
EU & UK
|
Norwegian Consumer Protection Authority
|
July 1, 2022

CNIL found Amazon guilty of depositing cookies without prior consent and the failure to inform users about depositing cookie or the means to refuse them. 

€35 million in fines
|
EU & UK
|
French DPA (CNIL)
|
June 27, 2022

The news service was fined by the Hungarian DPA where the controller's newsletter subscribers were automatically enrolled in electronic marketing and a prize draw without adequate information or the ability to provide specific consent.

€5,080 in fines
|
EU & UK
|
Hungarian DPA (NAIH)
|
June 24, 2022

Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.

€50,000 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
June 16, 2022

The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.

€50.000 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
May 25, 2022

The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.

€1,800 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
April 26, 2022

TransUnion deceived consumers by falsely marketing credit scores and credit-related products, enrolling consumers without consent, lacking cancellation mechanisms, and providing misleading information about the products' costs, purpose, and protection of personal information.

Order issued in response to previous settlement
|
USA
|
United States District Court for the Northern District of Illinois Eastern Division
|
April 12, 2022

Ed Napleton Automotive Group was held liable for imposing unauthorized "junk fees" by sneaking unwanted add-on products.

$10 Million in fines
|
USA
|
United States District Court Northern District of Illinois Eastern Division
|
March 31, 2022

Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.

€730,000 in fines
|
EU & UK
|
Swedish DPA (IMY)
|
March 28, 2022

Noom Inc reached a settlement with FTC, accusing the app provider of tricking customers into signing up for "risk-free" trial periods only to force them into automatic and costly renewals that were difficult to cancel.

$62 million in settlement
|
USA
|
US District Court, Southern District of New York
|
February 11, 2022

The Belgian DPA fined the IAB Europe as information provided to the data subjects was too generic and incomplete regarding processing of data or their right to object to it. 

€250,000 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
February 2, 2022

The Spanish DPA found an online clothing store responsible for handling personal data without consent from the people involved, not having a privacy policy in place, and using unnecessary cookies without informing users properly through a cookie banner.

€1800 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
January 10, 2022

The Spanish DPA fined a online genealogy platform for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.

€20,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
January 4, 2022

The Spanish DPA imposed a fine on an adult content website for violating data protection regulations. The website was penalised for using cookies without providing adequate information about their nature and purposes, as well as for having an outdated privacy policy that did not comply with the GDPR.

€8000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
January 3, 2022

The French DPA found Facebook guilty for making it more complex for users to refuse cookies than to accept them, and for not providing users with clear information on refusal of cookies.

€60,000,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
December 31, 2021

MyLife.com was held liable for luring consumers in hard-to-cancel subscription programs and deceptive billing practices.

$21 million in fines
|
USA
|
United States District Court Central District of California, Western Division
|
December 15, 2021

Google LLC and Google Ireland Limited required users to go through several steps to refuse cookies, and for not providing a “refuse all” button in the first layer of the cookie notice.

€150 million in fines
|
EU & UK
|
French DPA (CNIL)
|
December 1, 2021

The Norwegian DPA held the controller liable for direct marketing purposes to a data subject despite of having previously objected to such processing.

Compliance order and reprimand
|
EU & UK
|
Norgwegian DPA (Datatilsynet)
|
November 11, 2021

The ICO issued a penalty against Unite the Union for unsolicited direct marketing calls despite having explicitly opted out and by those who had not given informed valid consent to receive such calls.

£36,000 in fines
|
EU & UK
|
UK DPA (ICO)
|
October 25, 2021

The DPA held a public entity liable as the details were not easy to find on the website, and were only accessible in English, and not in any of the official languages.

€18,000 in fines
|
EU & UK
|
Luxembourg DPA (CNPD)
|
October 21, 2021

The Danish Data Protection Authority issued a ruling against a company which was found to have placed cookies on their website without obtaining valid consent from data subjects. The pop-up cookie banner on the website was designed in a way that made it more difficult for users to reject the use of cookies than to accept them. The company was found to have failed to obtain valid consent from users for the placement of cookies on their devices.

Implementing a new consent based solution.
|
EU & UK
|
Danish DPA (DT)
|
October 20, 2021

The PREICO JURÍDICOS website was fined by the Spanish DPA for violating regulations regarding the use of cookies. The website was found to have used non-technical and non-necessary cookies without obtaining proper consent, failed to display an appropriate cookie banner, and provided insufficient information in its Cookies Policy.

€2,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
September 26, 2021

We Buy Any Car Ltd, a car valuation company, was fined by the UK DPA for sending unsolicited marketing emails and SMS, with complainants unable to unsubscribe from them.

€234,000 in fines
|
EU & UK
|
UK DPA (ICO)
|
September 13, 2021

The Irish DPC held WhatsApp liable for failure to provide non-users with the necessary information and making it difficult to access by excessively spreading it out across several documents.

€225,000,000 in fines
|
EU & UK
|
Irish Data Protection Commission (DPC)
|
August 20, 2021

SOCIETE DU FIGARO was held responsible for allowing partners to deposit cookies on user terminals for advertising purposes without obtaining their consent or action. The company failed to provide users with effective means to refuse the deposit of cookies for advertising purposes, despite expressing their desire to do so.

€50,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
July 27, 2021

Marbella Resorts was fined by the Spanish DPA for not having a data processing agreement with the processor and for violating the Spanish Law on cookies by placing unnecessary cookies without user consent.

€7000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
June 23, 2021

Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.

3 months to comply
|
EU & UK
|
UK DPA (ICO)
|
June 22, 2021

The Spanish DPA (AEPD) imposed a fine on a radio station for not including a link to their cookie policy in the cookie banner and for placing non-essential cookies on user devices without obtaining prior consent.

€1200 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
June 7, 2021

UK DPA fined a car finance company for not providing a simple, clear and specific opt-out process for marketing, lack of information about data processing practices, and absence of opt-out option for individuals.

€198,000 in fines
|
EU & UK
|
UK DPA (ICO)
|
May 24, 2021

Czech DPA fined a broadcaster as the information it provided was not provided in an easily accessible manner, incomplete and outdated.

€3800 in fines
|
EU & UK
|
Czech DPA (UOOU)
|
April 29, 2021

ABCmouse agreed to pay $10 million and change its marketing and billing practices after the FTC found it misled consumers about cancellations, withheld information and charged memberships without consent.

$10 million in settlement
|
USA
|
US District, Court Central District of California
|
April 19, 2021

The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.

€3000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
April 16, 2021

TikTok was fined by the Dutch DPA for violating GDPR Article 12(1) by providing its privacy policy solely in English to Dutch users, many of whom are children under the age of 16.

€750,000 in fines
|
EU & UK
|
Dutch DPA (AP)
|
April 9, 2021

Abanca Corporación Bancaria was found to be using unnecessary cookies on its website without obtaining prior consent from users, leading to a fine by the Spanish Data Protection Agency (AEPD).

€5,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
March 29, 2021

Caixabank Bank was fined by the Spanish DPA for using pre-ticked boxes to request consent for processing personal data, and charging customers who did not accept the terms a monthly maintenance fee of €5.

€2,000,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
February 21, 2021

The Washpoint SL was fined by the Spanish DPA (AEPD) for two violations: first, the absence of a Privacy Policy on their website; and second, the absence of a reject button on the second layer of their Cookie Policy.

€2000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
February 16, 2021

Predase Servicios Integrales SL was fined by the Spanish Data Protection Agency (AEPD) for breaching Article 13 of the GDPR. The company was found to be non-compliant as it did not have a privacy policy and failed to provide any information on data processing in the contact section of its website, which required users to provide their personal data.

€5,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
January 28, 2021

The Belgian DPA fined the private company targeting pregnant mothers. The company through its marketing campaign collected personal data without informing clearly of the processing. Despite withdrawing consent, the complainant was contacted by third parties for its promotions wherein it technically made it difficult to withdraw consent and stop receiving unwanted phone calls from the defendant's partners.

€50,000 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
January 20, 2021

The Spanish DPA (AEPD) fined ASOCAPAC for insufficient information provided on the first layer of the cookie banner and the missing "refuse all cookies" option in the cookie policy on their website.

1 month to comply with GDPR requirements
|
EU & UK
|
Spanish DPA (AEPD)
|
January 14, 2021

The Austrian DPA found the respondent at fault for not providing information and notifications in languages that are relevant to the countries where the services are being offered, based on the nationality or place of residence of the data subject.

No fine, partly upheld
|
EU & UK
|
Austrian DPA (DSB)
|
January 7, 2021

HH Invest SIA, an online store, was fined by the Latvian DPA (Datu valsts inspekcija) for insufficiently informing a data subject about the processing of their data.

€15,000 in fines
|
EU & UK
|
Latvian DPA (DVI)
|
December 15, 2020

The Danish DPA (Datatilsynet) found that a website's cookie consent mechanism was inadequate, as it only provided an "Allow all cookies" option, making continued use of the website equal to consent. The DPA clarified that this approach to marketing cookies was not in compliance with the law.

Redesigning consent mechanism
|
EU & UK
|
Danish DPA (DT)
|
December 11, 2020

Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.

€5 million in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
December 11, 2020

DoorDash was held liable for deceiving consumers by falsely portraying the impact of their tips on Dasher pay and encouraging tips under false pretenses.

$2.5 million in fines
|
USA
|
Superior Court of the District of Columbia Civil Division
|
November 24, 2020

Carrefour France has been fined by CNIL for violating GDPR and French data protection laws, including excessive data retention, unclear data processes, inadequate response to requests, security breaches, and unlawful use of cookies. They also sent prospecting emails despite objections and did not provide unsubscribe links.

€ 2250000 in fines
|
EU & UK
|
French DPA (CNIL)
|
November 18, 2020

The company was held liable for insufficient clarity in information, and the absence of a clear cookie policy or consent for the use of cookies.

€1500 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
November 13, 2020

Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.

Response to request for a preliminary ruling
|
EU & UK
|
Court of Justice of the EU (CJEU)
|
November 11, 2020

BORJAMOTOR, S.A. received a complaint from a customer who expressed their objection to the company's processing of their personal data for direct marketing purposes via email. Despite this objection, the customer continued to receive emails with offers from the company, at a reduced frequency. BORJAMOTOR, S.A. was found to have used a deceptive pattern known as "hard to cancel", which made it difficult for customers to cancel their subscription to the company's marketing emails.

€8,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
November 10, 2020

The Spanish DPA (AEPD) fined Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) for publishing illegal recordings on its website and dropping Google Analytics cookies without user consent. Additionally, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.

€ 8000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
November 10, 2020

Miguel Ibáñez Bezanilla was fined by the Spanish DPA for multiple violations related to his website. These included the absence of a banner on cookies usage, insufficient information on the identity, features, and length of cookies, and the lack of an option to refuse them. The website was found to be technically unsafe, the privacy policy was not updated, and the provided cookie information was inadequate.

€ 3000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
November 10, 2020

The Spanish Data Protection Authority (DPA) has fined an airline for violating cookie regulations on their website. The airline failed to give users a choice, provide sufficient information, and allow users to reject all cookies at once.

€30,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
October 16, 2020

Add Event Staff, S.L. was warned by the Spanish DPA (AEPD) for not obtaining separate consent for processing activities related to job search and commercial purposes. 

Warning issued
|
EU & UK
|
Spanish DPA (AEPD)
|
October 16, 2020

The Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes that enabled non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."

€18,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
October 6, 2020

Iweb Internet Learning, S.L. was fined by the Spanish Data Protection Agency for failing to identify the data controller, not allowing separate consent for each purpose, and providing insufficient information on the use of cookies.

€7,800 voluntary fine
|
EU & UK
|
Spanish DPA (AEPD)
|
September 24, 2020

The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.

€6,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
July 20, 2020

Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.

€ 16,729,600 in fines
|
EU & UK
|
Italian DPA (GPDP)
|
July 9, 2020

Effen Ads tricked users by sending spam emails that falsely claimed endorsements from news organizations and celebrities to promote fraudulent schemes.

$1.5 million in fined
|
USA
|
United States District Court for the District of Utah
|
June 30, 2020

The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.

No fine
|
EU & UK
|
Danish DPA (DT)
|
June 18, 2020

ARANOW PACKAGING MACHINERY, S.L was fined by AEPD for violations related to its Cookie Policy. AEPD conducted an investigation that included an examination of the information provided in the Cookie Policy, including details on the use of cookies and data collected. AEPD also looked for any mechanism to reject all cookies, but found none.

€3000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
June 9, 2020

The Belgian DPA held an organization liable for continued direct marketing practices despite objection by the complainant; and for failing to provide clear information about the right to object in the privacy policy.

€1000 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
May 28, 2020

LendEDU was fined for promoting products in exchange for a fee and posting fake positive reviews on its website.

$350,000 in fines
|
USA
|
Federal Trade Commission
|
May 26, 2020

Progressive Leasing was held liable for misleading consumers to pay more than the sticker price for items by hiding the cost behind a non-descript dropdown arrow

$175 million in fines
|
USA
|
US District Court for Northern District of Georgia Atlanta Division
|
April 22, 2020

A controller was fined by the AEPD for inadequate cookie information on its website, including a lack of information on tracking cookies and a vague cookie policy without an easy uninstall tool.

€ 1500 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
April 2, 2020

The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.

€ 15.000 in fines
|
EU & UK
|
Belgian DPA (APD/GBA)
|
December 17, 2019

The UODO imposed a fine against a company for preventing data subjects to withdraw consent easily and effectively their consent and to request the erasure of their personal data

€47,000 in fines
|
EU & UK
|
Polish DPA (UODO)
|
November 5, 2019

Planet49 ran a promotional lottery competition on its website. To play in the lottery, users were required to tick a checkbox to receive third-party advertising, otherwise they could not play. Also, the registration process included  a pre-ticked checkbox that would allow tracking of their online behaviour.

Undisclosed fines
|
EU & UK
|
Court of Justice of the EU (CJEU)
|
October 1, 2019

UrthBox engaged in offering a supposedly "free" trial without adequately disclosing hidden subscription charges and misrepresenting consumer reviews as independent.

$184,000 in fines
|
USA
|
Federal Trade Commission
|
May 17, 2019

Canary Click Consulting website was held liable for failure to provide information about the storage or deletion of their data and for not providing an option to reject cookies.

€8,000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
April 30, 2019

CMA held Microsoft liable for unclear upfront terms, difficulty in turning off auto-renewal, and customers unknowingly paying for unused services in their auto-renewing Xbox Live Gold and Game Pass memberships.

Refunds issued and changes made
|
EU & UK
|
UK Competition and Markets Authority (CMA)
|
April 5, 2019

Just Landed, a Spanish entity, has been fined by the Spanish DPA for having a privacy policy written only in English and not providing a mechanism to accept, reject or manage cookies.

€ 3000 in fines
|
EU & UK
|
Spanish DPA (AEPD)
|
February 25, 2019

CNIL found Google liable for providing information in a fragmented and generic manner, and for using pre-ticked boxes for personalization settings of the account.

€50,000,000 in fines
|
EU & UK
|
French DPA (CNIL)
|
January 21, 2019

The Spanish Data Protection Authority issued a reprimand to a controller for failing to fulfill a data subject's request for deletion. Despite six separate attempts by the data subject, the controller did not act promptly, and neither their website nor app allowed for easy account cancellation.

Reprimand issued
|
EU & UK
|
Spanish DPA (AEPD)
|
January 19, 2019

Sage Auto coerced users to sign different contracts, charged for unauthrosied add-ons and faked its reviews.

$3.5 million in fines
|
USA
|
United States District Court Central District of California
|
December 6, 2018

The AEPD warned a website for failure to provide precise information about the data processing in its privacy policy.

Warning issued
|
EU & UK
|
Spanish DPA (AEPD)
|
August 27, 2018

Airbnb was held liable for not disclosing additional fees upfront and violating commercial laws regarding hidden costs and upfront disclosure of the total price of accommodation.

In negotiations to comply
|
EU & UK
|
European Commission (EC)
|
July 16, 2018