Planet49 ran a promotional lottery competition on its website. To play in the lottery, users were required to tick a checkbox to receive third-party advertising, otherwise they could not play. Also, the registration process included a pre-ticked checkbox that would allow tracking of their online behaviour.
The Planet49 case involved the use of deceptive patterns to obtain users’ consent for the processing of their personal data. These deceptive patterns included pre-ticked checkboxes and unclear language in the consent request, which made it difficult for users to fully understand the implications of their consent. The use of pre-ticked checkboxes is a deceptive opt-out strategy that puts the burden on users to notice the checkbox and actively opt-out of the processing of their personal data. The result of this is that a reasonable user may be tricked into leaving the checkbox ticked, and inadvertently agreeing to something they did not intend. This is an example of the “sneaking” deceptive pattern.
Furthermore, the unclear language used in the consent request made it difficult for users to fully understand what personal data would be processed, how it would be used, or who it would be shared with. This meant that users were not able to make informed decisions about whether to provide consent. The result of this is that a user may inadvertently provide consent to purposes they did not intend to; thereby effectively forcing users to provide consent in order to play in the lottery.
The GDPR provisions that address deceptive patterns in obtaining user consent for personal data processing include Article 4(11), which defines consent as a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Article 12 requires that information provided to users be concise, transparent, intelligible and easily accessible. Recital 32 of Regulation 2016/679 provides that individuals must actively agree to the processing of their data, and this should not be obscured by pre-selected options or vague or confusing language.
The case was referred back to the German Federal Court of Justice, which subsequently upheld the CJEU’s ruling and ordered Planet49 to comply with GDPR requirements for obtaining valid consent. The company was also fined for non-compliance with GDPR requirements.
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Consent should be specific, informed, unambiguous, cover all processing activities, and not inferred from silence or pre-ticked boxes, must be clear, concise and non-disruptive.