Inability to prove the validity of consent: the Garante fines 120,000 euros

The Italian Data Protection Authority (The Garante) released action against two insurance comparison sites, which were fined 120,000 euros because they failed to prove the validity of the consents they had obtained.

The ruling comes almost a year after the start of the investigation, which began with a number of reports and a complaint.

From the investigations conducted on the sites involved, the Garante noted that:

• When filling out the information to receive the requested quote, some consents were marked as “mandatory” and others—such as consent to marketing activities—were pre-selected.
• Once the user received the quote via email, he/she could view the result by clicking on a “Go to Quote” link. Once the link was clicked, all optional consents were saved as having been granted, even if the user hadn’t actively given their consent.

The company clarified that this happened because of a system bug and was not a voluntary action. However, for 9,700 users, consent that did not accurately reflect choice was recorded, and for 2,155 users, consent that was never granted had been saved. 

All this led the Garante to its final decision: a fine of 120,000 euros.

How was the GDPR violated?

Under the GDPR, consent is a matter of great importance and must meet specific requirements: it must be freely given, specific, informed and unambiguous. In the case presented here, it was not freely given consent, as some boxes on the form to request the quote were pre-selected.

The failure of the data controllers to demonstrate that the consents they had received were obtained in accordance with the GDPR’s requirements was the cause of the fine.

It is the responsibility of the controller to prepare unambiguous proof of consent that contains:

• by whom and when consent was given;
• what preferences were expressed;
• legal or privacy notices in effect when consent was collected;
• what form was completed when consent was given;
• whether consent was withdrawn.

How to collect a proof of consent

Collecting a proof of consent that contains all these elements is not easy, however, there are solutions that can come to your aid, such as iubenda’s Consent Database!

Thanks to the Consent Database, you can adapt your forms and store a proof of consent as required by the GDPR:

• it integrates seamlessly with your data collection forms (you can choose the option you prefer: frontend, backend, WordPress plugin or automation tools like Zapier and Make);
• syncs with your legal documents;
• includes an intuitive dashboard that allows you to retrieve consents at any time.