Norwegian DPA: Order to improve solutions for consent

1 July 2021 Norway

The Norwegian Data Protection Authority has ordered the company Smartere Utdanning AS to improve its solution for obtaining consent in order to comply with the requirements of the General Data Protection Regulation (GDPR).

This is in response to a complaint from an individual, who found she was targeted with advertising from Smartere Utdanning AS on Facebook and via e-mail.

“The complainant, who had previously attended a free webinar provided by the company, found she was getting ads on Facebook and via e-mail without having consented to this. This happened despite the complainant repeatedly having asked to have her personal data erased,” says the Director-General of the Data Protection Authority, Bjørn Erik Thon.

Smartere Utdanning claimed that anyone who used their services automatically consented to Facebook and e-mail marketing. According to the company, the complainant had therefore already consented to the marketing when she took a course, as this was specified in their privacy policy.

Targeted audience
Smartere Utdanning advertises via e-mail and Facebook via so-called “targeted audiences”. By uploading customer lists to Facebook, the social platform is able to match these lists with existing Facebook profiles and target these profiles with ads.

After reviewing the matter, the Data Protection Authority has concluded that this type of obtaining consent is in violation of the GDPR. The regulation requires consent to be freely given and specific.

“It is a basic requirement of the GDPR that consent for processing of personal data must be freely given and specific. We should be able to choose whether we want to consent to marketing when we buy a service. For example, we should be able to consent to one type of marketing via e-mail, without also having to consent to marketing via Facebook,” says Bjørn Erik Thon.

On this basis, the Data Protection Authority has ordered Smartere Utdanning to change the way they obtain consent, in order to establish compliance with the requirements of the GDPR. The company has also been ordered to erase any and all personal data about the complainant.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The original press release in Norwegian is available here

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.