The Italian Data Protection Authority (The Garante) released action against two insurance comparison sites, which were fined 120,000 euros because they failed to prove the validity of the consents they had obtained.
Avevano registrato migliaia di consensi per finalità di #marketing, ma a causa di un bug non sono riusciti a dimostrare la reale volontà degli utenti e che il consenso fosse stato davvero espresso. Il #GarantePrivacy sanziona per 120.000 euro due siti di comparazione di polizze👇— Garante Privacy (@GPDP_IT) March 2, 2023
The ruling comes almost a year after the start of the investigation, which began with a number of reports and a complaint.
From the investigations conducted on the sites involved, the Garante noted that:
The company clarified that this happened because of a system bug and was not a voluntary action. However, for 9,700 users, consent that did not accurately reflect choice was recorded, and for 2,155 users, consent that was never granted had been saved.
All this led the Garante to its final decision: a fine of 120,000 euros.
Under the GDPR, consent is a matter of great importance and must meet specific requirements: it must be freely given, specific, informed and unambiguous. In the case presented here, it was not freely given consent, as some boxes on the form to request the quote were pre-selected.
The failure of the data controllers to demonstrate that the consents they had received were obtained in accordance with the GDPR’s requirements was the cause of the fine.
It is the responsibility of the controller to prepare unambiguous proof of consent that contains:
Collecting a proof of consent that contains all these elements is not easy, however, there are solutions that can come to your aid, such as iubenda’s Consent Database!
Thanks to the Consent Database, you can adapt your forms and store a proof of consent as required by the GDPR:
💡 As you may know, many Data Protection Authorities across Europe (including the UK, France, Italy, Belgium, and more) have aligned their rules on cookies and trackers with the requirements of the GDPR. Then you may also need the Cookie and Consent Preference Logs, if you’re using non-technical cookies.