JP/Politikens Hus A/S – Violation Found (Denmark, 2022)

JP/Politikens Hus A/S (controller) is an operator of the news website, www.eb.dk. In 2021, the Danish DPA conducted an inspection into how the controller processed personal data of visitors on its website. During the check, the website had a cookie consent solution allowing the visitors to click on three different boxes: "Only necessary" (in a red box), "Customise settings" (in a grey box) and "Accept all" (in a green box). From the "first layer" of the consent solution, it appeared that the controller processed personal data for statistical and marketing purposes. In the "second layer", which the visitor could access by clicking on "Customise settings", the visitor could select the processing for preferences, statistics and marketing. The DPA held that visitors of the controller's website did not give informed consent, as visitors who clicked on "Accept all" did not receive information about all processing purposes. Namely, information about the preferential purpose only appeared from the "second layer". As a result, the consent did not meet the requirements of Article 4(11) GDPR, and thus the controller could not rely on Article 6(1)(a) GDPR as a legal basis for the processing. Furthermore, the DPA also held that using a traffic light-like colour and design scheme in the consent solution constitutes a form of "guiding" (nudging). Therefore, as it interferes with the user's ability to make an informed choice, it is incompatible with the principles of lawfulness, fairness, and transparency of Article 5(1)(a) GDPR. Consequently, the DPA reprimanded the controller for the identified violations.