A decision by the Data Protection Authority on 27 October 2022 once again establishes the requirements for valid consent, and in particular the limits on how sufficient information is processed.
The Danish Data Protection Authority has severely criticised JP/Politikens Hus A/S for its processing of personal data of website visitors to Ekstra Bladet, which did not comply with the data protection rules on consent. On the website, the user was introduced to a consent solution that gave the option to either accept all cookies, customise settings or only opt-in to necessary cookies. The options were indicated in green, grey and red respectively. The consent solution also included in the first line a description of the different processing purposes. If the user chose the option to customise settings, it was possible to opt in and out of the processing purposes in the second part of the consent solution.
The GDPR requires that consent must be voluntary, specific, informed and an unambiguous expression of will by the data subject, who in this case were the website visitors. This means, among other things, that the data subject must give consent actively and freely and that the consent must be limited in purpose. In addition, the data subject must be adequately informed about what is being consented to before giving consent. This includes the purpose of the processing.
The EDPS found that the consent was not sufficiently informed, as the website visitor was not informed of all the purposes of the processing in the first stage of the consent procedure. The second indent of the solution provided a preference purpose, which the user only became aware of if he chose to customise settings, and thus not if the user chose to accept all cookies without reading the information in the second indent.
The EDPS also explained the rules applicable to the choice of different colours and designs in the cookie solutions, which may determine whether the user accepts or rejects cookies - so-called nudging. The supervisor stated that there is a lot of freedom, but that it must not push the user in the direction of an illegal scenario. In the case in question, where acceptance of all cookies was indicated in a green colour (in a consent solution with a traffic-light-like design), the colour would push the user towards consent that was not sufficiently informed and the choice of colour was therefore not allowed. The decision illustrates the strict requirements that data protection law imposes on consent.
Contact one of our experts if you want to make sure that the consents you get from customers are legal. The difference between legal and non-legal consents can have a big impact
