Unfair design practices resulted in a 345 million euro fine
The Irish Data Protection Commission announced a 345 million euro fine after a social media platform failed to comply with the GDPR’s principle of fairness. Among several things, the unfair data processing practices related to two pop-up notifications shown to children aged 13 to 17. The company was also reprimanded and issued an order to bring processing into compliance within three months.
After monitoring a video-focused social media platform for a while, the Irish Data Protection Commission began an inquiry. It focused on how the company processed personal data relating to child users while complying with the principle of fairness as part of default settings.
Among several things, it assessed the design of two specific pop-up notifications for children. One notification appeared as part of the registration process, and the other appeared upon posting a video. Both pop-up notifications were designed so users were nudged into having public profiles by default and posting their videos publicly. No special settings were applied for child users.
Reprimant, order, and a fine
None of the pop-up notifications complied with the principle of fairness, as the users were not presented with the options in objective and neutral ways. Besides the fine, the company was reprimanded and received an order to bring processing into compliance within three months.
The issue with the first notification was that users were simply presented with two options. Choosing a private setting required users to actively choose to “go private”. Alternatively, the second option was to just “skip” making a choice, resulting in a public account by default. Again, no special safeguards were applied for child user accounts. Also, no reference was included to the privacy policy or the special summary the company had made for child users.
The issue with the second notification was, again, that only two options applied when a user with a public account chose to post a video. Users could choose “cancel” or “post now”. The option on posting was in bold font. Again, the notification did not make it sufficiently clear to child users that their data would become visible to an indefinite audience upon posting.
IUNO’s opinion
Companies are responsible for ensuring that privacy settings are objective and neutral. In short, it must not be difficult for data subjects to adjust privacy settings and limit processing. In this connection, the threshold for ensuring adequate safeguards is even higher when sensitive data or data relating to children is involved. We have previously focused on consent and nudging here.
Nudging can come in various forms. It does not only exist on social media platforms or as part of cookie consent. IUNO recommends an increased focus on deceptive or manipulative settings to ensure privacy by design. Otherwise, such practices are likely to result in a breach of the applicable data protection rules. We have previously written about a failure to ensure the appropriate settings in an employment setting here.
[Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation of 1 September 2023, finally adopted on 15 September 2023]
After monitoring a video-focused social media platform for a while, the Irish Data Protection Commission began an inquiry. It focused on how the company processed personal data relating to child users while complying with the principle of fairness as part of default settings.
Among several things, it assessed the design of two specific pop-up notifications for children. One notification appeared as part of the registration process, and the other appeared upon posting a video. Both pop-up notifications were designed so users were nudged into having public profiles by default and posting their videos publicly. No special settings were applied for child users.
Reprimant, order, and a fine
None of the pop-up notifications complied with the principle of fairness, as the users were not presented with the options in objective and neutral ways. Besides the fine, the company was reprimanded and received an order to bring processing into compliance within three months.
The issue with the first notification was that users were simply presented with two options. Choosing a private setting required users to actively choose to “go private”. Alternatively, the second option was to just “skip” making a choice, resulting in a public account by default. Again, no special safeguards were applied for child user accounts. Also, no reference was included to the privacy policy or the special summary the company had made for child users.
The issue with the second notification was, again, that only two options applied when a user with a public account chose to post a video. Users could choose “cancel” or “post now”. The option on posting was in bold font. Again, the notification did not make it sufficiently clear to child users that their data would become visible to an indefinite audience upon posting.
IUNO’s opinion
Companies are responsible for ensuring that privacy settings are objective and neutral. In short, it must not be difficult for data subjects to adjust privacy settings and limit processing. In this connection, the threshold for ensuring adequate safeguards is even higher when sensitive data or data relating to children is involved. We have previously focused on consent and nudging here.
Nudging can come in various forms. It does not only exist on social media platforms or as part of cookie consent. IUNO recommends an increased focus on deceptive or manipulative settings to ensure privacy by design. Otherwise, such practices are likely to result in a breach of the applicable data protection rules. We have previously written about a failure to ensure the appropriate settings in an employment setting here.
[Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation of 1 September 2023, finally adopted on 15 September 2023]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
Promises are made to be kept