THE DEMENTOR’S KISS: Websites implicitly take user’s consent without explicitly asking for it.

Namrata Agarwal
4 min readJul 7, 2021


The video above would take you to its youtube page.

Early this year, I purchased a book through Bokus, a leading bookseller here in Sweden. I had specifically chosen to pay directly through my visa card instead of paying through Klarna, Europe’s largest private fintech. I had to reimburse this purchase through my office, so I wanted a receipt. That is when it all started!

To my horror, I had to go through a conversation with customer care to get a receipt. I got stuck in the spider web, realizing I had to communicate with Klarna. Several questions ran through my head -

  • I purchased from Bokus, why do I have to converse with Klarna?
  • When did Klarna come into the picture?
  • I had paid through my card and not opted for Klarna, so how did Klarna know about my purchase?
  • Have I been kissed by Klarna’s dementor?

The experience got worse when neither Bokus nor Klarna took responsibility for the incomplete invoice.

Mail conversation wherein neither Klarna or Bokus take ownership.

Eventually, giving me a painful experience and Bokus lost me as a future customer.

When I spoke to my colleagues and friends, quite many had similar experiences, some with Webhallen, XXL, Elgiganten, and many more. I wonder how many more of us have gone through similar experiences?


Klarna provides a checkout platform for many brands who don’t want to build something of their own. Bokus had the same.

Bokus’s checkout page. Klarna implicitly took consent.

The problem arises because Klarna implicitly took the consent without explicitly asking for it.

Klarna became a dementor and sucked its user’s soul. It took all the contact details, social security numbers, payment card details and stored them in its database for 15 years!!! I cannot even opt-out of it. All Klarna says is, “If you do not want these tracking technologies, you must refrain from using Klarna’s cash solution and payment methods.”

  • Is this ethical?
  • Is my privacy being respected?
  • Do I have a choice to keep my data protected?
  • What will they do with my data?
  • Is this legal?
  • Is it in compliance with GDPR?

I ran a little fun survey within my close-knit group of UXers. Most of us don’t read the Terms & Conditions before making a purchase. Some of us use our reflexes to click on the buy button and complete the purchase, missing out on a tiny text beneath. Many users are in a rush to complete the purchase rather than reading through piles of words mentioned on the links in these tiny texts.

Quant survey showing many people don’t read terms and conditions and some not even noticed Klarna’s implicit consent text beneath the confirm purchase button.

As per GDPR, consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices. The key point is that the website should be upfront with its users about their use of cookies. One should obtain explicit consent by giving the user-specific separate information about what they are being asked to agree to and providing them with a way to accept employing a positive action to opt-in.

According to Cookiebot, neither Klarna’s nor Bokus’s website are in compliance with GDPR.

Cookiebot analytics showing neither Klarna nor Bokus follow GDPR guidelines on their respective websites.

Very recently, Klarna faced a data breach. Users were being logged in as other people, giving them access to stranger’s personal information.

That included randomized postal addresses and past purchases. Partial

card details were also exposed. As a user, I never logged in through Klarna, never made any payment, never used it, yet Klarna has a lot of my data.

Tweet about Klarna’s data breach


A simple solution by just asking, ask them and repeatedly and by being fair, more transparent, and accountable to the people who use the website will increase their trust and confidence. And that benefits everyone.

Betala med kort via Klarna (Pay with card via Klarna) provides clear understanding to the user that the only payment method available is via Klarna.

Secondly, before confirming the purchase, the users are made explicitly aware through checkboxes about Klarna’s cookies and policies instead of earlier implicit ways.

Simple solution to turn implicit into explicit consent.
Before and after comparison.

There aren’t many data protection laws in place yet, nor GDPR and other existing laws that have rabbit holes that hackers and companies take advantage of. We as UX designers have to take responsibility for voicing such concerns and unethical practices.



Namrata Agarwal

UX Designer I Graphic Designer