Wind Tre, an Italian telecommunications company, has been found to have violated several articles of the GDPR and Italian Privacy Code by the Italian DPA (Garante) following complaints from both Wind Tre and non-Wind Tre users. The complaints related to unsolicited marketing communications made without their consent through texting, emails, faxes, and automated phone calls. This is an example of the deceptive pattern of hidden information, where Wind Tre did not provide clear information to data subjects regarding their communications channels and methods. Many complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, partly due to inaccurate contact information in Wind Tre's privacy policies. This is an example of the hard to cancel pattern, where Wind Tre made it difficult for data subjects to withdraw their consent, as their contact information was not accurate. The Garante's investigation revealed that Wind Tre's operating methods incentivized sellers to collect "as much consent as possible" from data subjects while impairing their ability to object to processing of data for promotional purposes. This is an example of the deceptive pattern of forced action, where Wind Tre pressured data subjects to give their consent to the processing of their personal data for commercial purposes.
Deceptive patterns such as hidden information, hard to cancel, bundling of consents, and forced action were also used by the company to gain consents from data subjects. The presence of a single button in the management system to facilitate the tick of all consent boxes and small prints used to inform about consent collection were considered further negative elements by the DPA, indicating bundling of consents. Wind Tre's practices for the identification of data subjects were also found to be in violation of GDPR regulations. The company stated that it did not act on data subjects’ requests to withdraw consent if these did not come with a copy of an ID. This is an example of the deceptive pattern of hidden information, where Wind Tre did not provide clear information to data subjects regarding the information required to withdraw their consent. Overall, Wind Tre's deceptive patterns violated various GDPR articles, including Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24, and 25.