JP/Politikens Hus A/S Investigation by Danish DPA

Reprimand issued


The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.

Our analysis

The Danish Data Protection Authority conducted a written inspection into JP/Politiken A/S' processing of personal data about visitors to JP/Politiken used a consent solution with three options - Necessary only, Customize Settings, and Accept all. However, visitors who selected Accept all did not receive adequate information about all processing purposes, as the purpose of preferences only appeared in the second layer of the consent solution. This means that visitors did not give informed consent, and the processing of personal data for statistical and marketing purposes contradicted the principle of legality, fairness, and transparency. While visitors could access the second layer of the consent solution by clicking on Customize Settings, the Danish Data Protection Authority found that this did not constitute voluntary consent because visitors did not have a free choice and control over their personal data.
As a result, since all requirements under the data protection regulation's Article 4(11) were not met, there was no valid consent to form the basis for processing personal data in accordance with the data protection regulation's Article 6(1)(a). The authority raised concerns that the use of colors in response buttons, especially a traffic light-like system, can influence visitors to make certain choices and constitute a form of nudging that is not compatible with the principle in Article 5(1). While the Authority generally allows design freedom in layout and content, it believes that the use of colors should not lead to opacity or unreasonable processing situations. In the specific case of the consent solution, the use of green for the "Accept all" button, according to the Authority, can bypass the data subject's ability to exercise an informed choice.


The DPA found that the controller's website did not obtain informed consent as visitors who clicked on "Accept all" did not receive all processing information. The consent did not meet Article 4(11) GDPR, and the controller could not rely on Article 6(1)(a) GDPR. Additionally, using a traffic light-like colour and design scheme in the consent solution constituted a form of "guiding" that interfered with the user's ability to make an informed choice. As a result, the DPA reprimanded the controller for the identified violations.


JP/Politikens Hus A/S (Controller) and Danish DPA

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us