The Planet49 case involved the use of deceptive patterns to obtain users’ consent for the processing of their personal data. These deceptive patterns included pre-ticked checkboxes and unclear language in the consent request, which made it difficult for users to fully understand the implications of their consent. The use of pre-ticked checkboxes is a deceptive opt-out strategy that puts the burden on users to notice the checkbox and actively opt-out of the processing of their personal data. The result of this is that a reasonable user may be tricked into leaving the checkbox ticked, and inadvertently agreeing to something they did not intend. This is an example of the “sneaking” deceptive pattern.
Furthermore, the unclear language used in the consent request made it difficult for users to fully understand what personal data would be processed, how it would be used, or who it would be shared with. This meant that users were not able to make informed decisions about whether to provide consent. The result of this is that a user may inadvertently provide consent to purposes they did not intend to; thereby effectively forcing users to provide consent in order to play in the lottery.
The GDPR provisions that address deceptive patterns in obtaining user consent for personal data processing include Article 4(11), which defines consent as a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Article 12 requires that information provided to users be concise, transparent, intelligible and easily accessible. Recital 32 of Regulation 2016/679 provides that individuals must actively agree to the processing of their data, and this should not be obscured by pre-selected options or vague or confusing language.