Excerpt
Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.
Our analysis
Banco Bilbao Vizcaya Argentaria, SA (BBVA) faced several joint complaints related to their data processing practices. The first complainant claimed that BBVA sent promotional SMS to their mobile phone without consent, while BBVA argued that the complainant had consented by subscribing to a document on customer identification and processing of personal data. The second complainant claimed that BBVA did not comply with legal requirements for free and informed consent, as their application did not provide the possibility to refuse data processing. BBVA responded that this method of gathering consent was valid according to BBVA and other forums. The third complainant claimed that BBVA asked them to sign a privacy policy document to unblock their account, which included a ticked option that stated they did not want BBVA to process their data for certain purposes. The fourth complainant claimed that they received unauthorised advertising communications, and BBVA argued that the complainant did not oppose this data processing in the privacy policy document they signed. The fifth complainant claimed they received unsolicited calls and SMS, and BBVA argued that the complainant had consented to such processing of personal data for commercial purposes by signing a privacy policy document.
The Spanish DPA investigated the issue and held that BBVA's privacy policy lacked clarity and specificity, which violated Articles 12, 13, and 14 of the GDPR. The DPA stated that BBVA must respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a) as a data controller that processes personal data. BBVA's privacy policy used imprecise terminology and vague formulations when providing information to the data subject. The DPA found that BBVA did not design a specific mechanism to collect valid consent when relying on consent as a legal basis for processing personal data for certain purposes, and the data subject's options were limited in the way BBVA presented the boxes to tick. BBVA relied on the "inaction" of the data subject to gather consent, which was in breach of GDPR's requirements for gathering valid consent. A general signature of the privacy policy could not be valid consent as it was not specific to distinct purposes, and the consent given was not informed as the privacy policy lacked crucial information. The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA's privacy policy fell within the examples of poor transparency practices. The privacy policy was too vague and unclear, making it difficult for data subjects to understand.
Outcome
Banco Bilbao Vizcaya Argentaria, SA was fined €2 million for violating the transparency principle and €3 million for breaching the legality of processing under Article 6 of GDPR by the Spanish Data Protection Authority (AEPD).
Parties
D.AAA (claimant) and Banco Bilbao Vizcaya Argentaria, SA
Case number
PS/00070/2019
Decision
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires personal data to be processed lawfully, fairly, and transparently.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Gives individuals the right to object to the processing of their personal data in certain situations.
Establishes the principles of lawfulness, fairness, and transparency in the processing of personal data.
Related to transparency and information to the affected party, and it requires the controller to provide certain information to data subjects when collecting their personal data.