I strongly oppose the consent order in this instance, as it is in a different category from the others, and the proposed order is not appropriate in this case. DDC labs is a DNA/paternity testing provider with a very heavy online presence and a large EU market share. DNA data is very sensitive and very high risk (even more so in the age of Big Data), so a "light touch" consent order with, in effect, no real sanctions, is quite inappropriate. A false assertion of adequate privacy protection in this particular industry must be treated more seriously. The requirement here is for actual sanctions, and an explicit, widely publicised warning to existing EU customers.