The Danish DPA (Datatilsynet) found that a website's cookie consent mechanism was inadequate, as it only provided an "Allow all cookies" option, making continued use of the website equal to consent. The DPA clarified that this approach to marketing cookies was not in compliance with the law.
The case involves a website that failed to gather valid consent for processing activities related to marketing cookies. The website's cookie consent mechanism only displayed an "Allow all cookies" button, and users who wanted to refrain from giving consent had no other option. The website operator interpreted the continued use of the website as consenting to the marketing cookies. However, the Danish DPA (Datatilsynet) held that this was illegal, as consent presupposes voluntariness, which was clearly not present in this case. The DPA also emphasised that consent must be an unequivocal expression of will on the part of the data subject, requiring active action and not merely inactivity. The website visitors were not free to choose in a granular fashion between different processing purposes, such as statistics or marketing, which violated the requirement of granularity. The DPA also referred to Recital 32 GDPR and paragraph 62 of the CJEU Planet49 case (C-673/17), which explicitly state that silence, pre-ticked boxes, or inactivity may not constitute consent. The DPA recommended that the controller reconsider the design of its new consent mechanism, as the current wording was not transparent and easy to understand for website visitors. The text of the consent should only include the processing(s) covered by the consent, and the data controller should be aware of the relevant processing basis for the personal data in the consent text. The new consent mechanism also made it unclear to the website visitor which processing basis(s) actually formed the basis for the website's processing of personal data in relation to statistics and marketing. The DPA encouraged the controller to make the consent mechanism clearer for the website visitor.
The Data Inspectorate (Datatilsynet) has reviewed a new consent solution implemented by a data controller and found the wording used in the consent text to be non-transparent and difficult to understand for website visitors. The consent text should only include the processing covered by the consent, and the data controller should consider the relevant processing basis while designing the consent text. The Datatilsynet also notes that the new consent solution allows website visitors to object to the website's legitimate interests in relation to statistics and marketing by clicking on "cookie settings." However, this setup makes it unclear to the website visitor which processing basis(s) actually form the basis for the website's processing of personal data in relation to statistics and marketing. Therefore, the DPA encourages the controller to reconsider the design of its new consent mechanism.
Anonymous Complainant and DGU Erhverv A/S
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.