The Italian DPA imposed sanctions on Ediscom for violating multiple provisions of the GDPR, including the accountability principle, conditions for consent, and privacy-by-design and privacy-by-default principles. Ediscom was found to frequently use misleading interfaces and unclear submission procedures. They would prompt users who had already denied consent for marketing communications to provide consent again through deceptive design elements. The link to continue without providing consent was placed outside the pop-up and in a smaller format, making it less visible than the accept button. The Garante also noted that Ediscom employed unclear communication models and registration processes, which violated guidelines on dark patterns. These actions by Ediscom were considered attempts to obtain consent despite the user's clear expression of intent and created confusion, potentially leading to consent given under misleading circumstances. Additionally, Ediscom failed to require email validation for certain services and used specially designed interfaces to collect excess data and bypass the will of the users. The Garante concluded that obtaining consent through such deceptive methods undermined the freedom and awareness of the individuals and was therefore unlawful.