On April 17, 2023, the Italian Supervisory Authority (“Garante”) published its decision against a company operating digital marketing services finding several GDPR violations, including the use of so-called “dark-patterns” to obtain users’ consent. The Garante imposed a fine of 300.000 EUR.
We provide below a brief overview of the Garante’s key findings.
The sanctioned company operated marketing campaigns on behalf of its clients, via text messages, emails and automated calls. The company’s database of contacts was formed by data collected directly through its online portals (offering news, sweepstakes and trivia), as well as data purchased from data brokers.
Dark patterns. The Garante found that, during the subscription process, the user was asked for specific consent relating to marketing purposes and sharing of data with third parties for marketing. If the user did not select either of the checkboxes, a banner would pop-up, indicating the lack of consent, and displaying a prominent consent button. The site also displayed a “continue without accepting” option, but this was placed at the bottom of the webpage – outside of the pop-up banner – in simple text form and smaller font size, which made it less visible than the “consent” button. The Garante, referring to the EDPB’s guidelines (see our blogpost here), held that the use of such interfaces and graphic elements constituted “dark patterns” with the aim of pushing individuals towards providing consent.
Double opt-in. The Garante noted that consent was not adequately documented. While the company argued that it required a “double opt-in”, the evidence showed that a confirmation request was not consistently sent out to users. The Garante recalled that double opt-in is not a mandatory requirement in Italy, but constitutes nonetheless an appropriate method to document consent.
“Invite a friend” option. Some of the company’s online portals offered an “invite a friend” option, asking users to provide contact details of third party individuals who may be interested in the service. The Garante clarified that the provision of such data does not qualify as a consent for future promotional communications to those third parties, because the referrer is not, as a rule, entitled to provide valid consent on the third party’s behalf.
Other violations. The Garante found that the company and its clients had incorrectly identified their privacy roles. In particular, it held that companies collecting and managing lists of data with the objective of enriching their own databases qualify as independent controllers (and not as processors). Additionally, the Garante indicated that companies acquiring data from third parties should verify that the data is (i) acquired lawfully, (ii) accurate, and that (iii) consents are up-to-date.
The Garante’s decision aligns with its approach in the area of marketing, and with the principles formalized in the recently approved Code of conduct on telemarketing and telesales (see our blogpost here).
The Covington team regularly monitors regulatory and enforcement developments across Europe. Our team is happy to advise on any queries relating to dark patterns, and any other data protection matter.
(This blog post was written with the contributions of Alberto Vogel.)