Datatilsynet - 2020-31-3354 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 4(11) GDPR Article 6(1)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 11.12.2020 |
Fine: | None |
Parties: | DGU Erhverv A / S |
National Case Number/Name: | 2020-31-3354 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | n/a |
The Danish DPA (Datatilsynet) held that a website's cookie consent mechanism did not gather valid consent, as it only displayed a "Allow all cookies" button. Not clicking the button and continuing to use the website was seen as consent to marketing cookies, which the DPA confirmed was illegal.
The DPA also considered the new design of the website's consent mechanism and encouraged the controller to reconsider the option it chose.
English Summary
Facts
The website first presented visitors with information about the processing activities, after which the visitor could press "Allow all cookies" or "Show details". There was no other button for users who wanted to refrain from giving consent, and the continued use of the website was interpreted by the controller as consenting to the marketing cookies.
The information provided by the website stated:
"This website uses cookies
We use cookies to personalize our content and ads, to show you social media features and to analyze our traffic. We also share information about your use of our website with our social media partners, advertising partners and analytics partners. Our partners may combine this data with other information that you have provided to them or that they have collected from your use of their services. You agree to our cookies if you continue to use our website.”
The website visitor then had the option to click on "Allow all cookies" or "Show details". If the visitor clicked "Show details", he/she was presented with information about which cookies www.golf.dk used. It appeared, among other things, that www.golf.dk used 13 cookies in relation to "Preferences", 29 cookies in relation to "Statistics", 218 cookies in relation to "Marketing" and 19 cookies which were "Unclassified".
From the perspective of the website operator, the consent was obtained before the commencement of the proceedings, and the privacy policy on the website stated how consent could be withdrawn.
Dispute
Did the cookie consent mechanism of the website gather valid consent in line with the GDPR?
Holding
In building its argumentation, the DPA also relied on Recital 32 GDPR, as well as paragraph 62 of the CJEU Planet49 case (C-673/17) which states that:
“Active consent is thus now explicitly provided for in Regulation 2016/679. In this respect, it should be noted that, pursuant to recital 32 in the preamble to that regulation, consent may be given, inter alia: by ticking a box when visiting a website. That recital, on the other hand, expressly excludes that silence, pre-ticked boxes or inactivity may constitute consent."
The DPA emphasised that consent presupposes voluntariness, which was clearly not present since it was not possible to refrain from giving consent to the processing in question.
Furthermore, website visitors were not free to choose in a granular fashion between different processing purposes, such as statistics or marketing (the DPA referred to this as the "requirement of granularity").
Finally, the Datatilsynet reiterated that "consent must be an expression of an unequivocal expression of will on the part of the data subject." As confirmed by the Planet49 case, this requires active action and not merely inactivity.
In relation to controller's new consent solution, the DPA has become aware that the solution contains the following wording:
“Subsequent processing takes place on the basis of your consent and in special cases on the basis of legitimate interest.”
The DPA's "immediate opinion" is that a wording such as the above is not transparent and easy to understand for a website visitor. Instead, the text of consent should only include the processing(s) covered by the consent. The data controller should therefore be aware of the basis for the processing of personal data that is relevant in the design of the consent text.
The Datatilsynet also notes that a website visitor by clicking on "cookie settings" in the new consent solution is presented with the opportunity to object to the website's legitimate interests in relation to statistics and marketing.
It is the Data Inspectorate's assessment that such a setup makes it unclear to the website visitor which processing basis(s) actually form the basis for the website's processing of personal data in relation to statistics and marketing. The DPA therefore encourages the controller to reconsider the design of its new consent mechanism.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Invalid consent on website Published 11/13/2020 Decision Private companies On the basis of a complaint, the Danish Data Protection Agency has found that the consent solution on www.golf.dk did not meet the requirements for e.g. voluntariness, granularity and unequivocal expression of will.Journal number: 2020-31-3354 Summary On the basis of a complaint, the Danish Data Protection Agency has expressed serious criticism that DGU Erhverv A / S did not obtain a valid consent in connection with DGU Erhverv A / S 'processing of personal data about the visitors to the website www.golf.dk. DGU Erhverv A / S collected and processed information about the website visitor in connection with his visit to the website www.golf.dk. The purpose of the treatment was i.a. marketing, and the processing took place on the basis of the website visitor's consent. The consent was obtained by means of a consent solution, whereby the website visitor was initially presented with information about the processing activities on www.golf.dk, after which the website visitor could press "Allow all cookies". It was not possible for the website visitor to refrain from giving consent to the treatment activities. It also appeared that the website visitor's continued use of www.golf.dk would also be considered a consent. In the case, the Danish Data Protection Agency found that the consent solution that DGU Erhverv A / S used on www.golf.dk did not live up to the validity requirements that the Data Protection Ordinance sets for a consent. In particular, the requirements of voluntariness, granularity and an unequivocal expression of will were not met. Decision The Danish Data Protection Agency hereby returns to the case, where [x] (hereinafter complains) on 12 May 2020 has complained to the Authority about DGU Erhverv A / S '(hereinafter DGU) processing of information about him on the websites www.golf.dk and www. golfbox.dk. The Danish Data Protection Agency notes that DGU has stated that DGU is the sole owner and administrator of the website www.golf.dk. This decision from the Danish Data Protection Agency therefore only deals with the complainant's complaint in relation to the website www.golf.dk. Decision After a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that DGU's processing of personal data has not taken place in accordance with the rules in Article 6 (1) of the Data Protection Regulation [1]. 1, letter a. Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision. 2. Case presentation It appears from the case that the complainants and DGU have had ongoing correspondence from 24 May 2018 to 9 August 2018 regarding the consent solution on the website www.golf.dk. When contacting the complainant to the Danish Data Protection Agency, the website used a consent solution, which stated the following: This website uses cookies We use cookies to personalize our content and ads, to show you social media features and to analyze our traffic. We also share information about your use of our website with our social media partners, advertising partners and analytics partners. Our partners may combine this data with other information that you have provided to them or that they have collected from your use of their services. You agree to our cookies if you continue to use our website. ” The website user then had the option to click on "Allow all cookies" or "Show details". If the website user clicked "Show details", the website user was presented with information about which cookies www.golf.dk used. It appeared, among other things, that www.golf.dk used 13 cookies in relation to "Preferences", 29 cookies in relation to "Statistics", 218 cookies in relation to "Marketing" and 19 cookies which were "Unclassified". Complainants submitted a complaint to the Danish Data Protection Agency on 12 May 2020 regarding DGU's processing of information about him on the websites www.golf.dk and www.golfbox.dk. On this basis, the Danish Data Protection Agency sent the complainant's complaint for consultation on 19 June 2020 and asked DGU for an opinion on the case. IDEAL Advokatfirma appeared on 21 August 2020 with a statement on the case on behalf of DGU. On 4 September 2020, the Danish Data Protection Agency forwarded DGU's statement to complainants, so that complainants were given the opportunity to comment on this. The Danish Data Protection Agency has not received any comments from complainants. 2.1. Complainant's remarks Complainants have generally stated that the processing of information about him on the website www.golf.dk does not comply with the data protection law rules. Complaints have accordingly claimed that DGU does not obtain a valid consent to the processing of personal data, which is carried out on the website, as it i.a. is impossible to avoid / deselect cookies. 2.2. DGU's comments DGU has initially stated that DGU only owns and administers the website www.golf.dk, which is why DGU has no influence on the website www.golfbox.dk and its consent solution. Regarding the consent solution that is the subject of this decision, DGU has stated that information on complaints was processed on the website www.golf.dk in connection with his visit to the site. Information was collected, registered and passed on in the form of personal information about: postcode, e-mail, IP address, gender, age, usage patterns on site / app, websites visited, which ads complainants clicked on and information about which types of devices , tablet, computer, television, etc.) used by complainants. The purpose of the processing was to record the website visitor's behavior on the websites, which was described in the privacy policy of the website. The processing of personal data on the website was based on the data subject's consent, in accordance with Article 6 (1) of the Data Protection Regulation. 1, letter a. Consent was obtained by the website visitor clicking "Allow all cookies" or by the website visitor's continued use of the website. Consent was obtained before the commencement of the proceedings, and the privacy policy on the website stated how consent could be withdrawn. DGU has finally stated that it was DGU's opinion that the consent solution lived up to the current rules in the area, but that this perception changed in April 2020, when DGU became aware of the Danish Business Authority's updated cookie guide. Accordingly, DGU has stated that when DGU became aware of the updated guidance from the Danish Business Authority in April 2020, DGU initiated a process to update www.golf.dk’s consent solution. However, DGU's partner STEP A / S in relation to the previous consent solution (OneTrust) could not deliver a new solution. A temporary solution was therefore implemented in mid-June 2020. Finally, DGU has stated that in mid-August 2020, DGU implemented a new consent solution (OneTrust), which has been provided by the former partner and data processor STEP A / S. In summary, DGU has argued that DGU was in an excusable error of law, given the ambiguity and change in practice in the area, which should be included in the assessment. Furthermore, DGU has argued that DGU should be granted a certain implementation period to comply with the Danish Business Authority's new guidelines, and that this implementation period should be seen in the light of DGU's implementation of the new solution taking place at a time of closure, which created problems with delivery of IT solutions. Justification for the Danish Data Protection Agency's decision 3.1 It is clear from Article 6 (1) of the Data Protection Regulation 1, letter a, that the processing of personal data is lawful if the data subject has given consent to the processing of his personal data for one or more specific purposes. Article 4 (11) of the Data Protection Regulation states that a consent means any voluntary, specific, informed and unambiguous expression of the data subject's consent, whereby the data subject agrees by declaration or clear confirmation that personal data relating to the data subject shall be made subject to treatment. Furthermore, recital 32 in the preamble to the Data Protection Regulation states: "Consent should be given in the form of a clear confirmation, which involves a voluntary, specific, informed and unambiguous expression of will from the data subject, whereby the person in question accepts that personal data about the person in question is processed, e.g. by a written statement, including electronic, or an oral statement. This can e.g. take place by ticking a box when visiting a website, by choosing technical settings for information society services or another statement or action that clearly in this connection indicates the data subject's acceptance of the proposed processing is his or her personal data. Silence, pre-checked fields or inactivity should therefore not constitute consent. Consent should cover all treatment activities performed for the same purpose or purposes. When treatment serves several purposes, consent should be given to all of them. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily interfere with the use of the service to which consent is given. " Finally, paragraph 62 of the ruling of the European Court of Justice of 1 October 2019 [2] states: “Active consent is thus now explicitly provided for in Regulation 2016/679. In this respect, it should be noted that, pursuant to recital 32 in the preamble to that regulation, by ticking a box when visiting a website. That recital, on the other hand, expressly excludes the possibility that silence, pre-ticked boxes or inactivity may constitute consent. " 3.2 The Danish Data Protection Agency assumes that DGU processes information about complaints in the form of e.g. IP address and usage patterns on the website and that the information is processed for several purposes, including statistics and marketing. The Danish Data Protection Agency finds grounds for expressing serious criticism that DGU's processing of information on complaints on the website www.golf.dk has not taken place in accordance with Article 6 (1) of the Data Protection Ordinance. 1, letter a. The Danish Data Protection Agency has hereby emphasized that in connection with the complainant's visit to the website www.golf.dk, no valid consent has been obtained in accordance with the data protection law rules. Consent presupposes voluntariness, in accordance with Article 4 (11) of the Data Protection Regulation. Consent cannot be considered voluntary when it is not possible to refrain from giving consent to the processing in question. The complainant could not refuse to give consent during the visit to www.golf.dk, and the complainant's consent therefore does not live up to the requirement of voluntariness. Furthermore, a valid consent presupposes that the data subject is free to choose between these for several treatment purposes - the requirement for granularity. The information on complaints has been processed for several purposes, including statistics and marketing. During the visit to www.golf.dk, the complainant did not have the opportunity to select or deselect the various treatment purposes, which is not in accordance with the data protection rules on a valid consent. Finally, consent must be an expression of an unequivocal expression of will on the part of the data subject. It is stated in the above-mentioned EU Court Decision of 1 October 2019 that an unequivocal expression of will presupposes active action, and that i.a. silence or inactivity cannot constitute a valid consent. The website visitor's continued use of www.golf.dk can thus not constitute consent in the sense of data protection law. It can not lead to another result that DGU first became aware of the new practice change in April 2020. In this connection, the Danish Data Protection Agency refers to the Danish Data Protection Agency's guide “Processing of personal data on website visitors” from February 2020, which can be found on the Authority's website https: // www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger. The Danish Data Protection Agency has noted that DGU has implemented a new consent solution on the website www.golf.dk, and that this consent solution offers the website visitor to choose between "Only necessary" and "I accept". Furthermore, the Danish Data Protection Agency has noted that DGU has updated the text, which appears from the consent solution, so that it is now clearer what the website visitor gives consent to, what the purpose of the processing is and how opt-out can take place. In this connection, the Danish Data Protection Agency notes that in the present decision, the Authority does not otherwise take a position on the new consent solution at www.golf.dk. However, in relation to DGU's new consent solution, the Danish Data Protection Agency has become aware that the solution contains the following wording: "Subsequent processing takes place on the basis of your consent and in special cases on the basis of legitimate interest." (The Danish Data Protection Agency's emphasis) It is the Data Inspectorate's immediate opinion that a wording such as the above is not transparent and easy to understand for a website visitor. In the opinion of the Danish Data Protection Agency, the text of consent should only include the processing (s) covered by the consent. The data controller should therefore be aware of the basis for the processing of personal data that is relevant in the design of the consent text. The Danish Data Protection Agency also notes that a website visitor by clicking on "cookie settings" in the new consent solution is presented with the opportunity to object to the website's legitimate interests in relation to statistics and marketing. It is the Data Inspectorate's assessment that such a setup makes it unclear to the website visitor which processing basis (s) actually form the basis for the website's processing of personal data in relation to statistics and marketing. On the basis of the above remarks to the new consent solution, the Danish Data Protection Agency must encourage DGU to reconsider the design of DGU's current consent solution. [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation). [2] Case C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzenrale Bundesverband eV mod Planet49 GmbH