Banner1.jpg

IMY (Sweden) - 2023-16453

From GDPRhub
IMY - 2023-16453
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 6 GDPR
Article 7(3) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.12.2024
Published:
Fine: n/a
Parties: Aktiebolaget Trav och Galopp
National Case Number/Name: 2023-16453
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: elu

The DPA reprimanded a gambling company for the improper design of their cookie banner. The graphical emphasis of the accept option and the additional steps required to refuse cookies made the consent under Article 6 GDPR invalid.

English Summary

Facts

The data subject advanced a complaint against Aktiebolaget Trav och Galopp, one of the biggest Swedish gambling companies, the controller, alleging that users could not give valid consent, and that they could not refuse cookies. More specifically, the choice of colour, contrast and links of the cookie banner was claimed to be misleading. This does not allow the data subject to give an “informed and freely given consent”, thus allegedly violating the principle of transparency.

The controller claimed that, at the time of the complaint, consent was the legal basis for the processing and that it was possible to refuse cookies as well as withdraw consent in the second layer, i.e. through the link placed in the cookie banner, under the heading "How do I manage the acceptance/rejection of cookies?".

As of October 2021, the controller introduced a clear “refuse” button instead of a link leading to a second layer where cookies could be rejected. Moreover, the controller changed the colour and contrast of the acceptance and refusal buttons. Finally, no cookies other than necessary cookies were placed in the visitor's browser before the data subjects gave their consent.

Holding

While the DPA recognized that the Swedish Post and Telecom Authority is, generally, the sole competent authority over the Swedish Electronic Communications Act 2022:482, it also considered that the personal data processing taking place after collection of such data, is subject to the GDPR. Thus, the DPA decided to analyse the matter only to the extent concerning the processing of personal data that took place after the data was collected and to the deficiencies presented in the complaint.

The DPA focused its analysis on the requirements of consent under Articles 6(1)(a) and 4(11) GDPR. More specifically, it considered that, for consent to be “freely given and informed”, the data subject shall have “genuine and free choice” (Recital 42). The EDPB Guidelines 05/2020 on consent under the GDPR, also require the controller to design consent solutions in a manner that is clear for the data subject.

Furthermore, Article 7(3) GDPR provides for the right of data subjects to withdraw their consent at any time, which requires that it should be as easy to withdraw as it is to give consent.

Against this background, the DPA started its analysis of the cookie banner on the controller´s website at the time of the complaint. The analysis was centred on two elements:

- Comparison of consent and withdrawal procedures

When a data subject would visit the website for the first time, the cookie banner would appear immediately. To accept cookies, it was simply possible to click on the “Accept” button. However, withdrawing consent was only possible through the company’s cookie policy, which was located in the footer under the heading ‘Personal data’. Then, it was necessary to click on the "Cookies" button and then on "How do I manage the acceptance/rejection of cookies?" button. The DPA considered it clear that, the steps to accept cookies are significantly less than to withdraw such acceptance. Moreover, the DPA found it difficult for data subjects to find where to withdraw consent at all.

Even in relation to the updated cookie banner, data subjects still needs to go through all the steps above to withdraw consent, meaning that the changes made do not allow withdrawal of consent as easily as acceptance.

- Misleading design

The controller used two different colours for the “Select your cookies” and “Accept” options. If the data subject wanted to accept cookies, a green with white text button was available, while to refuse cookies, a grey/black link was available. The background of the banner was white. The DPA considered that the link to refuse cookies is not as prominent as a green button on a white background.

The fact that a link is used further obstructs the data subjects´ understanding of whether the link is simply informative or whether it effectively allows the user to refuse the use of cookies. In fact, such link was designed in the same way as the general information about cookies in the banner. This reinforced the user´s perception that they can only accept cookies, and that there was no further option to refuse cookies.

Thus, the DPA concluded that the data subject´s consent was not an expression of its unambiguous will, since the design made it look like no other options than consent was available. Thus, the data subject´s consent cannot be considered informed and freely given.

Even in relation to the changes made after 21 October 2021, the DPA considered that the design makes the option to accept all cookies more prominent than refusing. In fact, the option to accept cookies has a visually stronger contrast to the background than the option to refuse cookies.

Corrective Measure

Therefore, the DPA deemed it appropriate to impose a reprimand to the controller for the violation of Articles 6 and 7(3) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

Postal address:
Box 8114
104 20 Stockholm
Sweden
Website:
www.imy.se
E-mail:
imy@imy.se
Telephone:
+46 (8) 657 61 00
1(6)
Notice: This document is an unofficial translation of the Swedish Authority for
Privacy Protection’s final decision. Only the Swedish version is authentic.
COMPLAINANT
See appendix
CONTROLLER
Aktiebolaget trav och galopp
Final decision under the General Data
Protection Regulation – Aktiebolaget
Trav och Galopp
Decision of the Swedish Authority for Privacy
Protection
The Swedish Authority for Privacy Protection (IMY) finds that Aktiebolaget Trav och
Galopp (ATG, 556180-4161) has processed the complainant’s personal data in breach
of Article 6 and 7(3) of the General Data Protection Regulation (GDPR) 1 by not making
it as easy to withdraw as to give consent, and making it more difficult for the
complainant to give an informed and freely given consent, by using a misleading
design of its cookie banner.
IMY issues a reprimand to ATG pursuant to Article 58(2)(b) of the GDPR for the
infringements.
Presentation of the supervisory case
IMY has initiated supervision regarding ATG due to a complaint. The complaint is one
of several complaints filed with the European Data Protection Authorities regarding
cookies and cookie banners. The complaints mainly concern the design of cookie
banners, the placement of cookies and the subsequent processing of personal data
after the cookies have been placed on the complainant's browser or device. To
facilitate cooperation on these complaints, a ‘Cookie Banner Taskforce’ was created
within the European Data Protection Board.
In view of the cross-border nature of the processing, IMY has made use of the
cooperation and consistency mechanisms provided for in Chapter VII of the GDPR.
The supervisory authority concerned has been the Austrian Data Protection Authority.
The complainant has essentially stated the following.
On 21 May 2021, ATG processed the complainant’s personal data in breach of the
GDPR because there was no valid consent. Nor has it been possible to refuse cookies
in the first layer and the company has thus made it more difficult to refuse the
1 Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation).
Swedish ref.:
IMY-2023-16453
Austrian ref:
D130.865
IMI case register:
372595
Date:
2024-12-19
Our ref.: IMY-2023-16453 2(6)Swedish Authority
for Privacy Protection Date: 2024-12-19
processing of personal data. The design of the cookie banner has through colour
selection, contrast and links also been misleading, which means that it has not been
possible to give an informed and freely given consent in accordance with the GDPR.
This is also contrary to the principle of transparency and information. In addition, it has
not been as easy to withdraw consent as it has been to give consent.
ATG’s information that cookies are used on the website (in a so-called cookie banner)
has been attached to the complaint.
ATG has essentially stated the following. On 21 May 2021, ATG had consent as the
legal basis for the processing. It was possible to refuse cookies and this could be done
in the second layer. It was also possible to withdraw the consent. Information about the
right to withdraw consent was provided in the second layer. The consent was
withdrawn via ATG's cookie policy under the heading "How do I manage the
acceptance/rejection of cookies?".
There were some shortcomings in the consent on 21 May 2021, therefore the following
were addressed in October 2021. ATG introduced a clear button to refuse cookies
instead of a link. Furthermore, the colour and contrast of the buttons were changed.
No cookies other than necessary cookies were placed in the visitor's browser before
the visitor made an active consent to cookies. ATG has attached pictures of the
changes to the cookie banner.
The complainant has been given the opportunity to comment on ATG’s statement and
has withdrawn the parts concerning the possibility to refuse cookies in the first layer
and misleading link design.
ATG has been given the opportunity to comment on the draft decision.
The scope of the case
The Swedish Post and Telecom Authority is the sole competent supervisory authority
over the Electronic Communications Act (2022:482), which contains specific
requirements for the storage of cookies in terminal equipment or the collection of data
from such equipment. However, the personal data processing that takes place after
collection, such as analysis or profiling, is subject to the provisions of the GDPR,
where IMY is the competent supervisory authority. Against that background, IMY’s
investigation has been limited to the processing of personal data that took place after
the data was collected and the deficiencies stated in the complaint relating to that
subsequent processing.
During the handling of the case, the complainant has stated that the parts regarding no
possibility to refuse cookies and that ATG makes it difficult for the complainant to
withdraw or refuse consent through the use of a misleading link, have now been
remedied. IMY also notes that ATG has changed its cookie banner and that there is
now a way to refuse cookies in the first layer and that a button is used instead of a link
to refuse cookies. IMY therefore finds no reason to investigate this further.
Our ref.: IMY-2023-16453 3(6)Swedish Authority
for Privacy Protection Date: 2024-12-19
Motivation for the decision
Applicable provisions, etc.
Processing of personal data is only lawful if one of the conditions set out in Article 6 of
the GDPR is met. The legal basis in question in the case is consent pursuant to Article
6(1)(a).
Consent is defined in Article 4(11) of the GDPR as any freely given, specific, informed
and unambiguous indication of the data subject’s wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her. For consent to be valid, all of these requirements
must be met.
Freely given and informed consent
The transparency of the processing of personal data towards the data subject follows
from the principle of transparency set out in Article 5(1) of the Regulation. It is in the
light of that principle the requirement that consent must be informed should be read.
Recital 42 of the GDPR states that consent should not be regarded as freely given
where the data subject has no genuine or free choice or cannot easily refuse or
withdraw his or her consent.
The European Data Protection Board (EDPB) guidelines on consent state that there
should be a genuine choice and control for data subjects. As a general rule, the GDPR
provides that if the data subject has no real choice, feels compelled to consent or will
suffer adverse consequences if they do not consent, the consent will not be valid. The
guidelines also state that data controllers must design consent solutions that are clear
to data subjects. 2
The EDPB further considers that the use of a small font size or a colour that does not
contrast sufficiently to provide sufficient readability (e.g. slightly grey text colour on a
white background) may have a negative impact on users, as the text becomes less
visible and users either overlook it or have difficulty reading it. 3
Withdraw consent
Article 7(3) of the GDPR provides that, in order for consent to be valid, the data subject
must have the right to withdraw his or her consent at any time. Before consent is
given, the data subject shall be informed thereof. It should be as easy to withdraw as it
is to give consent.
The EDPB Guidelines on consent state that consent does not have to be given and
withdrawn in the exact same action, but should be as simple. In practice, when
consent is given electronically by a single mouse click, swipe or keystroke, data
subjects must be able to withdraw consent just as easily. Where consent is obtained
through a service-specific user interface (e.g. via a website or an app), the data
subject must undoubtedly be able to withdraw consent via the same electronic
interface, as switching to another interface for the sole purpose of withdrawing consent
would require an unjustified effort. In addition, the data subject should be able to
2 EDPB Guidelines 05/2020 on consent under Regulation (EU) 2016/679, version 1.1, adopted on 4 May 2020,
paragraphs 13 and 84.
3 EDPB Guidelines 03/2022 on misleading design patterns in social media platform interfaces: how to recognise and
avoid them, Version 2.0, adopted on 14 February 2023 May, paragraphs 51 and 84.
Our ref.: IMY-2023-16453 4(6)Swedish Authority
for Privacy Protection Date: 2024-12-19
withdraw the consent without difficulty. This means, among other things, that a
controller must ensure that it does not cost anything to withdraw consent or that the
service is impaired. 4
The question in the case is whether there was a valid consent to process the
complainant's personal data via cookies.
Assessment
ATG provides information that cookies are used on the website in a so-called cookie
banner. The banner is displayed, inter alia, when the user first enters the website. In
the first layer of the cookie banner, as it appeared on 21 May 2021, there were two
options to choose from for the data subject, ‘Select your cookies’ and ‘Accept all
cookies’. The following assessment is based on this cookie banner on the company's
website.
Comparison of consent and withdrawal procedures
The complainant highlights the option of having a permanently hovering icon visible on
all pages of the website to withdraw consent. IMY considers that a permanent hovering
icon is an option that can meet the condition that it should be as easy to withdraw as to
give consent. On the other hand, IMY does not consider that the GDPR requires a
specific technical solution that all controllers must use in order to comply with the
requirement of Article 7(3). The assessment of whether it is as easy to withdraw as it is
to give consent needs to be made in the individual case on the basis of the procedure
in question used to give consent. This assessment is in line with the Cookie Banner
taskforce report and the EDPB opinion on valid consent. 5
During the relevant period, when a user visited ATG’s website for the first time, the
cookie banner appeared immediately. The title of ATG’s cookie banner was ‘Accept
cookies’. There, the user could, at the click of a button, consent to the use of all (non-
essential) cookies. Once a user had given their consent in the cookie banner, the
cookie banner disappeared and the website could be used. In order to withdraw
consent, the data subject had to go to the company’s cookie policy, which was located
in the footer under the heading ‘Personal data’. There you had to click on the
"Cookies" button and then on the "How do I manage the acceptance/rejection of
cookies?" button. Information about accepting/denying cookies came up and at the
bottom was the option ‘click here to open the cookie-settings’. There, the data subject
had to click again and then enter a settings center where he or she had to uncheck the
categories of cookies to which he or she had previously consented and then press
‘save settings’. Thus, when comparing the way consent was obtained on the website,
much fewer keystrokes were needed to give consent than to withdraw consent. IMY
further considers that it was difficult for a data subject to find where to withdraw
consent at all.
Since 21 May 2021, ATG has implemented changes to its cookie banner. Among other
things, ATG has added clarification headings on withdrawal under the button ‘how do I
manage the acceptance/rejection of cookies?’ in the cookie policy. However, the data
subject still needs to go through all the steps described above in order to withdraw.
4 EDPB Guidelines 05/2020 on consent under Regulation (EU) 2016/679, version 1.1, adopted on 4 May 2020,
paragraphs 113-114.
5 Report on the work of the EDPB Working Group, ‘Cookie Banner Taskforce’, adopted on 17 January 2023, para. 35
and Opinion 08/2024 on valid consents for “Consent or Pay Models” implemented by large online platforms, adopted
on 17 April 2024, paragraph 169 (IMY translation).
Our ref.: IMY-2023-16453 5(6)Swedish Authority
for Privacy Protection Date: 2024-12-19
IMY's assessment is therefore that the changes made have not led to a data subject
being able to withdraw his or her consent as easily as giving consent.
Misleading design
IMY does not consider it possible to introduce a general standard regarding the
colours and contrasts that a data controller should use in its cookie banner. An
assessment of a cookie banner and whether it complies with the GDPR needs to be
made on a case-by-case basis. The assessment shall consider whether contrast and
colour are clearly misleading for the data subject and do not result in unintentional and
therefore invalid consent. This assessment is in line with the Cookie Banner taskforce
report. 6
IMY does not consider that the option to refuse and to accept cookies needs to look
exactly the same in order to comply with the GDPR's provisions on consent. However,
they must be equivalent in order for the data subject not to be misled in their choice.
During the period in question, ATG used two different colours for the ‘Select your
cookies’ and ‘Accept all cookies’ options. For the option not to accept cookies a link
was used and for accepting cookies a button was used. The link consisted of
grey/black text and the button to approve was green with white text. The background
of the banner was white. The option of not accepting cookies, i.e. the link, is therefore
not perceived as prominent as a green button on a white background. Furthermore, it
is not clear that the link constitutes a possible choice for a user. It seems more like
information because the text "Choose your cookies" is designed in the same way as
the general information about cookies in the banner. IMY therefore considers that the
design of the cookie banner reinforced the perception that the user should click to
accept cookies. This must also be seen in the light of the fact that the cookie banner
had the heading ‘Accept cookies’. IMY considers that ATG's design of the cookie
banner and the choice of colours and contrasts were designed to encourage the data
subject to accept cookies. ATG has stated that the company needs to comply with
regulations to improve accessibility. IMY does not consider that this justifies the need
for the company to highlight the option of accepting cookies.
IMY’s assessment is that the complainant’s consent cannot have been an expression
of its unambiguous wish, since the design made it appear that there were no other
options than to consent. The complainant cannot therefore have been considered to
have had the opportunity to give an informed and freely given consent.
ATG has changed the design of its cookie banner after the complaint. IMY considers
that these changes brought some improvements for the data subject to provide freely
given and informed consent. However, IMY believes that despite the changes, the
design makes the option to accept all cookies more prominent than refusing. This is
because the option to accept cookies still has a stronger contrast to the background
than the option to refuse cookies. Against that background, IMY considers that ATG
used misleading design in its choice of colour and contrast in its cookie banner, which
affects the complainant’s ability to give an informed and freely given consent.
Summary
ATG has not made it as easy to withdraw consent as to give it. In addition, the
company has used misleading designs in its choice of colour and contrast in the
cookie banner, which affected the complainant’s ability to give an informed and freely
6 Report on the work of the Cookie Banner Taskforce, adopted on 17 January 2023, para. 17.
Our ref.: IMY-2023-16453 6(6)Swedish Authority
for Privacy Protection Date: 2024-12-19
given consent. There was therefore no valid consent and consequently no legal basis
for processing the complainant’s personal data. ATG therefore processed the
complainant’s personal data in breach of Article 6 and Article 7(3) of the GDPR.
Choice of corrective measure
Pursuant to Article 58(2)(i) and Article 83(2) of the GDPR, IMY has the power to
impose administrative fines in accordance with Article 83. Depending on the
circumstances of the case, administrative fines shall be imposed in addition to or
instead of the other measures referred to in Article 58(2), such as injunctions and
prohibitions. Furthermore, Article 83(2) determines the factors to be considered when
imposing administrative fines and when determining the amount of the fine. In the case
of a minor infringement, IMY may, as stated in recital 148, instead of imposing a fine,
issue a reprimand pursuant to Article 58(2)(b). Aggravating and mitigating
circumstances of the case need to be taken into consideration. These could include
the nature, gravity and duration of the infringement as well as past infringements of
relevance.
IMY notes the following relevant facts. IMY has assessed that the company has not
had a legal basis to process the complainants' personal data. Although ATG is not
considered to have made the withdrawal as easy as the giving of consent, there has
been an opportunity to withdraw consent and the company has made some
improvements after the complaint to make it easier for the data subject. ATG has also
made some improvements to the design of the cookie banner, although these have
been considered insufficient. The company has not previously been found to have
infringed the GDPR.
Against this background, IMY considers these minor infringements within the meaning
of recital 148 and that ATG is to be given a reprimand pursuant to Article 58(2)(b) of
the GDPR.
How to appeal
If you wish to appeal the decision, you should write to the Swedish Authority for
Privacy Protection (IMY). Indicate in the letter which decision you wish to appeal and
the change you are requesting. The appeal must have been received by IMY no later
than three weeks from the day you received the decision. If the appeal has been
received in time, IMY will then forward it to the Administrative Court in Stockholm for
review.
You can e-mail the appeal to IMY if it does not contain any privacy-sensitive personal
data or information that may be covered by confidentiality. IMY’s contact information is
shown in the first page of the decision.