The Danish Data Protection Authority conducted a written inspection into JP/Politiken A/S' processing of personal data about visitors to www.eb.dk. JP/Politiken used a consent solution with three options - Necessary only, Customize Settings, and Accept all. However, visitors who selected Accept all did not receive adequate information about all processing purposes, as the purpose of preferences only appeared in the second layer of the consent solution. This means that visitors did not give informed consent, and the processing of personal data for statistical and marketing purposes contradicted the principle of legality, fairness, and transparency. While visitors could access the second layer of the consent solution by clicking on Customize Settings, the Danish Data Protection Authority found that this did not constitute voluntary consent because visitors did not have a free choice and control over their personal data.
As a result, since all requirements under the data protection regulation's Article 4(11) were not met, there was no valid consent to form the basis for processing personal data in accordance with the data protection regulation's Article 6(1)(a). The authority raised concerns that the use of colors in response buttons, especially a traffic light-like system, can influence visitors to make certain choices and constitute a form of nudging that is not compatible with the principle in Article 5(1). While the Authority generally allows design freedom in layout and content, it believes that the use of colors should not lead to opacity or unreasonable processing situations. In the specific case of the consent solution, the use of green for the "Accept all" button, according to the Authority, can bypass the data subject's ability to exercise an informed choice.