The ICO emphasises the requirements for consent, which must be “specific and informed”. It clarifies that consent for purchased “consented” data is valid only if the purchaser is identified at the time the data is collected (i.e., when consent is given). Therefore, EML could not have lawfully purchased the data based on valid consent, as it was not identified as a potential buyer to individuals. The use of these deceptive patterns meant that individuals were not fully aware of the nature of the data collection and how their personal data would be used for marketing purposes. This violated several provisions of data protection regulations, including Article 5(1)(a) of the GDPR, which requires that personal data shall be processed lawfully, fairly and transparently.
Emailmovers Limited must comply with ICO's requirements within three months, which include notifying individuals about the processing of their personal data, ceasing the processing of data for those who were not informed, and keeping appropriate records of consent. Failure to comply may result in a penalty of up to £17.5 million or 4% of the annual worldwide turnover.
Enforcement Notice - 2620027
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.