IMY (Sweden) - 2023-16453
IMY - 2023-16453 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 6 GDPR Article 7(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.12.2024 |
Published: | |
Fine: | n/a |
Parties: | Aktiebolaget Trav och Galopp |
National Case Number/Name: | 2023-16453 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | elu |
The DPA reprimanded a Swedish gambling companies for the improper layout of their cookie banner. The imbalance in colour of the buttons, and the difference in the actions to refuse or accept cookies, made consent under Article 6 GDPR invalid.
English Summary
Facts
The data subject advanced a complaint against one of the biggest Swedish gambling companies Aktiebolaget Trav och Galopp, the controller, due to the lack of valid consent, as well as the impossibility to refuse cookies. More specifically, the choice of color, contrast and links of the cookie banner was claimed to be misleading, thus not allowing the data subject to give an “informed and freely given consent”, thus allegedly violating the principle of transparency.
The controller claimed that, at the time of the complaint, consent was the legal basis for the processing and that, it was possible to refuse cookies, as well as withdraw consent, in the second layer, i.e. through the link placed in the cookie banner, under the heading "How do I manage the acceptance/rejection of cookies?". As of October 2021, the controller introduced a clear “refuse” button instead of a link leading to a second layer where cookies could be rejected. Moreover, the controller changed the colour and contrast of the acceptance and refusal buttons. Finally, no cookies other than necessary cookies were placed in the visitor's browser before the data subjects gave their consent.
Holding
While the DPA recognizes that the Swedish Post and Telecom Authority is, generally, the sole competent supervisory authority over the Swedish Electronic Communications Act 2022:482, it also considered that the personal data processing taking place after collection of such data, is subject to the GDPR. Thus, the DPA analyzed the matter only to the extent concerning the processing of personal data that took place after the data was collected and the deficiencies stated in the complaint relating to that subsequent processing.
The DPA focused its analysis on the requirements of consent under Articles 6(1)(a) and 4(11) GDPR. More specifically, it considered that, for consent to be “freely given and informed”, the data subject shall have “genuine and free choice” (Recital 42). The EDPB Guidelines 05/2020 on consent under the GDPR (paragraphs 13 and 84), also require the controller to design consent solutions in a manner that is clear for the data subject.
Furthermore, Article 7(3) GDPR provides for the right to withdraw his or her consent at any time, which requires that it should be as easy to withdraw as it is to give consent. In practice, when consent is given electronically by a single action, data subjects must be able to withdraw consent just as easily.
After underlying these requirements, the DPA started its analysis of the cookie banner on the controller´s website at the time of the complaint. The analysis was centered on two elements:
- Comparison of consent and withdrawal procedures
When a data subject would visit the website for the first time, the cookie banner would appear immediately. To accept cookies, it was simply possible to click on the “Accept” button. However, withdrawing consent was only possible through the company’s cookie policy, which was located in the footer under the heading ‘Personal data’. Then, it was necessary to click on the "Cookies" button and then on "How do I manage the acceptance/rejection of cookies?" button. The DPA considered it clear that, the steps to accept cookies are significantly less than to withdraw such acceptance. Moreover, the DPA found it difficult for data subjects to find where to withdraw consent at all.
Even in relation to the updated cookie banner, data subjects still needs to go through all the steps above to withdraw consent, meaning that the changes made do not allow withdrawal of consent as easily as acceptance.
- Misleading design
ATG used two different colors for the “Select your cookies” and “Accept” options. If the data subject wanted to accept cookies, a green with white text button was available, while to refuse cookies, a grey/black link was available. The background of the banner was white.
The DPA considered that the link to refuse cookies is not as prominent as a green button on a white background. The fact that a link is used further obstructs data subjects´ understanding of whether the link is simply informative as it is designed in the same way as the general information about cookies in the banner. This reinforced the user´s perception that they can only accept cookies.
Thus, the DPA concluded that the data subject´s consent cannot have been an expression of its unambiguous will, since the design made it appear that there were no other options than to consent. Thus, the data subject´s consent cannot be considered informed and freely given.
Even in relation to the changes made after 21 October 2021, the DPA considered that the design makes the option to accept all cookies more prominent than refusing. In fact, the option to accept cookies has a visually stronger contrast to the background than the option to refuse cookies.
Corrective Measure
Therefore, the DPA deemed it appropriate to impose a reprimand to the controller for the violation of Articles 6 and 7(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
File history Click on a date/time to view the file as it appeared at that time. Date/TimeDimensionsUserComment current12:03, 27 January 2025 (103 KB)Elu (talk | contribs) You cannot overwrite this file.File usage There are no pages that use this file.