On April 17th, 2023, the Italian data protection authority (Garante) took action against a digital marketing services company for breaching the General Data Protection Regulation (GDPR) by employing so-called ‘dark patterns’ to secure users’ consent. This impermissible conduct resulted in considerable monetary penalties of €300,000.
The sanctioned digital marketing services company executed promotional campaigns through text messages, emails and automated calls via its client list which was composed of data directly obtained from online portals and purchased from third parties.
The Garante established that during the sign-up procedure, the user would be requested to grant approval regarding advertising objectives and sharing personal information with external entities. If no permission was given, a notice would appear on screen, framing a big ‘consent’ button and a comparatively less visible ‘continue without accepting’ option located at the bottom of the webpage. According to the European Data Protection Board guidelines, this interface with its graphical elements was regarded as a ‘dark pattern’ enforced to manipulate people into granting their authorization.