Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal v. Orange România SA

Response to request for a preliminary ruling


Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.

Our analysis

Orange România SA, a provider of mobile telecommunications services in Romania, was found to have violated Article 32 of the Romanian Data Protection Act by obtaining and storing copies of customers' identity documents without their express consent. The Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (national Romanian data protection authority) imposed an administrative penalty on Orange România and ordered the controller to destroy already existing copies of the IDs.
Orange România had requested consent for this data processing by providing customers with the option to refuse their consent in handwritten form. However, some of the contracts for mobile telecommunication services had a pre-ticked box signaling the consent to the storage of ID copies, while others did not. In order to refuse consent, customers had to fill out an additional form before the conclusion of the contract.
The DPA found that the use of pre-ticked boxes to signal consent to the storage of ID copies was a deceptive pattern that violated the principle of "freely given" consent. The DPA argued that "freely given consent" requires active behavior and a high degree of autonomy on the part of the data subject. Consent in the form of a preselected tick of a checkbox cannot imply active consent on the part of the data subject dealing with a physical document which he or she ultimately signs. The DPA also found that Orange România failed to ensure that the customers were sufficiently informed about the data processing, violating the principle of "informed consent".


In response to the preliminary ruling concerns the interpretation of Article 2(h) of Directive 95/46/EC, CJEU held that Article 2(h) and Article 7(a) of Directive 95/46/EC and Article 4(11) and Article 6(1)(a) of Regulation (EU) 2016/679 state that data controllers must prove that data subjects have given active and informed consent for their personal data to be processed. A telecommunications contract containing a clause stating that a data subject has given consent to the collection and storage of their identity document for identification purposes does not demonstrate valid consent if the box has been pre-ticked, the contract is misleading, or the data subject is required to complete an additional form to refuse consent.


Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (national Romanian data protection authority; ‘the ANSPDCP’ and Orange România SA

Case number

Case C‑61/19

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us