Aktiebolaget Trav och Galopp – Complaint Upheld (Sweden, 2024)
A complaint against Aktiebolaget Trav och Galopp revealed that their cookie consent process was misleading. Users found it hard to refuse cookies, which violated transparency rules. This case shows that companies must make it easy for users to manage their cookie preferences.
What happened
The Swedish DPA upheld a complaint against Aktiebolaget Trav och Galopp for making it difficult for users to refuse cookies and give valid consent.
Who was affected
Users of Aktiebolaget Trav och Galopp's website were affected by the confusing cookie consent process.
What the authority found
The DPA found that the company violated GDPR by not allowing users to give informed consent and by making it harder to refuse cookies than to accept them.
Why this matters
This ruling stresses the importance of clear and user-friendly consent mechanisms for cookies, which all businesses should adopt to comply with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject advanced a complaint against Aktiebolaget Trav och Galopp, one of the biggest Swedish gambling companies, the controller, alleging that users could not give valid consent, and that they could not refuse cookies. More specifically, the choice of colour, contrast and links of the cookie banner was claimed to be misleading. This does not allow the data subject to give an “informed and freely given consent”, thus allegedly violating the principle of transparency. The controller claimed that, at the time of the complaint, consent was the legal basis for the processing and that it was possible to refuse cookies as well as withdraw consent in the second layer, i.e. through the link placed in the cookie banner, under the heading "How do I manage the acceptance/rejection of cookies?". As of October 2021, the controller introduced a clear “refuse” button instead of a link leading to a second layer where cookies could be rejected. Moreover, the controller changed the colour and contrast of the acceptance and refusal buttons. Finally, no cookies other than necessary cookies were placed in the visitor's browser before the data subjects gave their consent. While the DPA recognized that the Swedish Post and Telecom Authority is, generally, the sole competent authority over the [https://www.riksdagen.se/sv/dokument-och-lagar/dokument/svensk-forfattningssamling/lag-2022482-om-elektronisk-kommunikation_sfs-2022-482/ Swedish Electronic Communications Act 2022:482], it also considered that the personal data processing taking place after collection of such data, is subject to the GDPR. Thus, the DPA decided to analyse the matter only to the extent concerning the processing of personal data that took place after the data was collected and to the deficiencies presented in the complaint. The DPA focused its analysis on the requirements of consent under Articles 6(1)(a) and 4(11) GDPR. More specifically, it considered that, for consent to be “freely given and informed”,
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (4)
Cookie banner does not provide a clear reject/refuse all button at the same level as the accept button.
Art. 7 GDPR
Refusing cookies requires more clicks or steps than accepting them, or the reject option is less visually prominent.
Art. 7 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
No accessible mechanism exists for users to withdraw previously given cookie consent.
Art. 7(3) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Aktiebolaget Trav och Galopp in SE
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Aktiebolaget Trav och Galopp - Sweden (2024). Retrieved from cookiefines.eu
Last updated: