Logo and page links

Main menu

Order to improve solutions for consent

The Norwegian Data Protection Authority has ordered the company Smartere Utdanning AS to improve its solution for obtaining consent in order to comply with the requirements of the General Data Protection Regulation (GDPR).

This is in response to a complaint from an individual, who found she was targeted with advertising from Smartere Utdanning AS on Facebook and via e-mail.

“The complainant, who had previously attended a free webinar provided by the company, found she was getting ads on Facebook and via e-mail without having consented to this. This happened despite the complainant repeatedly having asked to have her personal data erased,” says the Director-General of the Data Protection Authority, Bjørn Erik Thon.

Smartere Utdanning claimed that anyone who used their services automatically consented to Facebook and e-mail marketing. According to the company, the complainant had therefore already consented to the marketing when she took a course, as this was specified in their privacy policy.

Targeted audience

Smartere Utdanning advertises via e-mail and Facebook via so-called “targeted audiences”. By uploading customer lists to Facebook, the social platform is able to match these lists with existing Facebook profiles and target these profiles with ads. 

After reviewing the matter, the Data Protection Authority has concluded that this type of obtaining consent is in violation of the GDPR. The regulation requires consent to be freely given and specific.

“It is a basic requirement of the GDPR that consent for processing of personal data must be freely given and specific. We should be able to choose whether we want to consent to marketing when we buy a service. For example, we should be able to consent to one type of marketing via e-mail, without also having to consent to marketing via Facebook,” says Bjørn Erik Thon.

On this basis, the Data Protection Authority has ordered Smartere Utdanning to change the way they obtain consent, in order to establish compliance with the requirements of the GDPR. The company has also been ordered to erase any and all personal data about the complainant.