Requiring website users to uncheck a pre-ticked box does not count as valid cookie consent under the GDPR, says EU top court advisor.
#GDPR #Compliance #Consent
Although Maciej Szpunar’s opinions are not binding – though often followed by the CJEU – the outcome of the case is much-anticipated by regulators and data protection authorities.
Pre-selected cookie boxes
The case against Planet49 centers around two checkboxes which meet visitors and would-be players when they visit the website.
The first – a requirement of participation – was unchecked and asked the users to agree on receiving material from sponsors and partners for marketing purposes. The second box – asking users to consent to the site’s cookies – was pre-selected i.e. pre-checked for accepting all cookies.
The Advocate General’s understanding is, that the pre-ticked box for cookies does not provide a valid consent according to the GDPR. The fact that users must deselect the box to decline cookie consent does not comply with the GDPR’s provisions for a consent being “freely given” and “informed”. Websites and companies cannot assume that, by not unchecking a box, the users actively give their consent to cookies.
IAB – we are not surprised
The concept that pre-ticked boxes for cookie consent does not meet the bar for consent is nothing new and not controversial. The IAB Europe – AdTech industry body - released an announcement stating that the Advocate General’s opinion was not surprising.
“Any publisher, advertiser or technology company who was surprised by the Advocate General’s opinion should take this as a subtle hint to up their data protection game, and consider adopting the Framework with a view to achieving greater GDPR and ePrivacy Directive compliance”. – quote from IAB article.
Still, given the widespread use of pre-ticked cookie boxes and in-active consents, privacy advocates welcome the fact that the issue has been addressed officially and they are awaiting clear confirmation on the matter by the EU’s top court.
How to get GDPR cookie compliant
There are certain standards a website – being company or privately owned – must meet to comply with the GDPR.
First, website users must be properly informed about the usage of cookies; which cookies are set; and who the operators (parties) which set cookies are.
Second, users must be given the possibility to accept or decline the storage of cookies set from the website – this is achieved with privacy controls which need to be pre-selected unchecked. If the user wants to give consent, he or she must actively – and freely – check the box.
Third, and most importantly, websites are not allowed - according to recital 32 of the GDPR - to store information on the users’ end terminal unless:
“a consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subjects agreement to the processing of personal data relating to him or her”.
In essence this mean, when a website uses a third-party service which sets cookies (functional, statistical or marketing) an explicit consent must be obtained from the user, or else consent is not given. Therefore, pre-checked boxes do not count as consent.