Den Blå Avis' Ex Officio Investigation by Danish DPA

No fine


The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.

Our analysis

Den Blå Avis (DBA), an online platform for second-hand goods, was found to be using deceptive patterns by the Danish DPA during their processing of personal data of website visitors. The DPA's investigation revealed that DBA had not obtained valid consent from visitors due to hidden information and bundling of consent. By clicking "accept," personal data was processed for multiple purposes, including marketing and personalisation, without clearly stating these purposes. Furthermore, DBA did not adequately inform visitors that their data would be shared with third parties, nor did they provide a link or menu in relation to the purpose for data sharing. The DPA assessed the second consent manager and found that the issues with the first CMP were still present, concluding that neither consent manager was adequate to obtain consent in accordance with Article 4(11) GDPR. The processing was therefore not in compliance with the principle of legality, reasonableness, and transparency outlined in Article 5(1)(a) GDPR.


The DPA ultimately concluded that the data subject's interests were of greater importance than the controller's legitimate interest, and as a result, the controller could not rely on Article 6(1)(f) GDPR for processing data for statistical purposes. Despite criticizing the controller's actions, the DPA did not exercise any corrective powers under Article 58(2) GDPR.


Den Blå Avis' and Danish DPA

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us