Excerpt
Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.
Our analysis
Wind Tre, an Italian telecommunications company, has been found to have violated several articles of the GDPR and Italian Privacy Code by the Italian DPA (Garante) following complaints from both Wind Tre and non-Wind Tre users. The complaints related to unsolicited marketing communications made without their consent through texting, emails, faxes, and automated phone calls. This is an example of the deceptive pattern of hidden information, where Wind Tre did not provide clear information to data subjects regarding their communications channels and methods. Many complainants noted that they were unable to withdraw their consent or object to the processing of their data for marketing purposes, partly due to inaccurate contact information in Wind Tre's privacy policies. This is an example of the hard to cancel pattern, where Wind Tre made it difficult for data subjects to withdraw their consent, as their contact information was not accurate. The Garante's investigation revealed that Wind Tre's operating methods incentivized sellers to collect "as much consent as possible" from data subjects while impairing their ability to object to processing of data for promotional purposes. This is an example of the deceptive pattern of forced action, where Wind Tre pressured data subjects to give their consent to the processing of their personal data for commercial purposes.
Deceptive patterns such as hidden information, hard to cancel, bundling of consents, and forced action were also used by the company to gain consents from data subjects. The presence of a single button in the management system to facilitate the tick of all consent boxes and small prints used to inform about consent collection were considered further negative elements by the DPA, indicating bundling of consents. Wind Tre's practices for the identification of data subjects were also found to be in violation of GDPR regulations. The company stated that it did not act on data subjects’ requests to withdraw consent if these did not come with a copy of an ID. This is an example of the deceptive pattern of hidden information, where Wind Tre did not provide clear information to data subjects regarding the information required to withdraw their consent. Overall, Wind Tre's deceptive patterns violated various GDPR articles, including Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24, and 25.
Outcome
Wind Tre was found to have violated several articles of the GDPR, including Articles 5(1), 5(2), 6(1)(a), 7, 12(1), 12(2), 24 and 25, by the Garante. As a result, Wind Tre was fined 16,729,600 EUR, prohibited from any further processing and was ordered to align their processing practices with the requirements of the GDPR.
Parties
D.A.A.A. (Complainant) and Wind Tre SpA
Case number
9435753
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.
Prohibits the use of automated calling and communication systems for unsolicited promotional purposes, except with the prior consent of the data subject or for legitimate interest of the data controller.