Cookies: No pre-ticked boxes allowed!

Requiring website users to uncheck a pre-ticked box does not count as valid cookie consent under the GDPR, says EU top court advisor.

On March 21, 2019, Advocate General Maciej Szpunar published his opinion in the case against a German lottery website run by Planet49 GmbH. The case which is currently pending before the Court of Justice of the European Union (CJEU) centers on the collection of consent for the use of cookies and the processing of personal data.

Although Maciej Szpunar’s opinions are not binding – though often followed by the CJEU – the outcome of the case is much-anticipated by regulators and data protection authorities.

Pre-selected cookie boxes

The case against Planet49 centers around two checkboxes which meet visitors and would-be players when they visit the website.

The first – a requirement of participation – was unchecked and asked the users to agree on receiving material from sponsors and partners for marketing purposes. The second box – asking users to consent to the site’s cookies – was pre-selected i.e. pre-checked for accepting all cookies.  

The Advocate General’s understanding is, that the pre-ticked box for cookies does not provide a valid consent according to the GDPR. The fact that users must deselect the box to decline cookie consent does not comply with the GDPR’s provisions for a consent being “freely given” and “informed”. Websites and companies cannot assume that, by not unchecking a box, the users actively give their consent to cookies.

Finally, the Advocate General clarifies that users must be provided with clear information about the use of cookies. This information must specify all third parties which store – and have access to – cookies, and for how long the cookies will be stored in the user’s browser.

IAB – we are not surprised

The concept that pre-ticked boxes for cookie consent do not meet the bar for consent is nothing new and not controversial. The IAB Europe – AdTech industry body – released an announcement stating that the Advocate General’s opinion was not surprising.

Any publisher, advertiser or technology company who was surprised by the Advocate General’s opinion should take this as a subtle hint to up their data protection game, and consider adopting the Framework with a view to achieving greater GDPR and ePrivacy Directive compliance

quote from IAB article

Still, given the widespread use of pre-ticked cookie boxes and in-active consents, privacy advocates welcome the fact that the issue has been addressed officially and they are awaiting clear confirmation on the matter by the EU’s top court.

Link: What is the IAB Framework for Transparency and Consent?

How to get GDPR cookie compliant

There are certain standards a website – being company or privately owned – must meet to comply with the GDPR.

First, website users must be properly informed about the usage of cookies; which cookies are set; and who the operators (parties) which set cookies are.

Second, users must be given the possibility to accept or decline the storage of cookies set from the website – this is achieved with privacy controls which need to be pre-selected unchecked. If the user wants to give consent, he or she must actively – and freely – check the box.

Third, and most importantly, websites are not allowed – according to recital 32 of the GDPR – to store information on the users’ end terminal unless:

a consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subjects agreement to the processing of personal data relating to him or her.

In essence, this means, when a website uses a third-party service which sets cookies (functional, statistical or marketing) an explicit consent must be obtained from the user, or else consent is not given. Therefore, pre-checked cookie boxes do not count as consent.

Share on facebook
Share on twitter
Share on linkedin
Share on email

- Webinars - Webinars - Webinars - Webinars

- Webinars - Webinars - Webinars - Webinars

Where to start with cookies?

Join our webinars about compliance in the Nordics