The Swedish Authority for Privacy Protection (IMY) has, for the first time, issued decisions specifically concerning cookie banners under the GDPR. The three cases examine how organisations inform users about and obtain consent for cookies that involve the processing of personal data, including for purposes such as profiling and targeted advertising.
IMY found that none of the three organisations had a valid legal basis for processing personal data collected through cookies. In two of the cases, the issues related to consent. Either users were not properly informed about their right to withdraw consent or the design of the cookie banners was misleading, steering users toward accepting all cookies. In the third case, the organisation relied on legitimate interest as the legal basis for processing but failed to demonstrate that the conditions required under the GDPR for using that basis were met.
IMY’s assessment was partially based on guidance from EDPB on dark patterns (Guidelines 03/2022), which highlight (amongst other things) how design choices can interfere with users’ ability to provide informed and voluntary consent.
All decisions resulted in formal warnings, no administrative fines were issued.
Click here to read the press statement and the decisions (in Swedish only).
