Although Maciej Szpunar’s opinions are not binding – though often followed by the CJEU – the case’s outcome is much-anticipated by regulators and data protection authorities.
Pre-selected cookie boxes
The case against Planet49 centers around two checkboxes which meet visitors and would-be players when they visit the website.
The first – a requirement of participation – was unchecked and asked the users to agree to receive material from sponsors and partners for marketing purposes. The second box – asking users to consent to the site’s cookies – was pre-selected i.e., pre-checked for accepting all cookies.
The Advocate General’s understanding is that the pre-ticked box for cookies does not provide valid consent according to the GDPR. The fact that users must deselect the box to decline cookie consent does not comply with the GDPR’s provisions for consent being “freely given” and “informed”. Websites and companies cannot assume that the users actively give their consent to cookies by not unchecking a box.
IAB – we are not surprised
The concept that pre-ticked boxes for cookie consent do not meet the bar for consent is nothing new and not controversial.
The IAB Europe - AdTech industry body - released an announcement stating that the Advocate General's opinion was not surprising.
"Any publisher, advertiser or technology company who was surprised by the Advocate General's opinion should take this as a subtle hint to up their data protection game, and consider adopting the Framework with a view to achieving greater GDPR and ePrivacy Directive compliance ."
Still, given the widespread use of pre-ticked cookie boxes and in-active consents, privacy advocates welcome the fact that the issue has been addressed officially. They are awaiting clear confirmation on the matter by the EU’s top court.
A website must meet certain standards – being company or privately owned – to comply with the GDPR.
First, website users must be informed appropriately about cookies’ usage, which cookies are set; and who are the operators (parties) that have set cookies.
Second, users must be given the possibility to accept or decline the storage of cookies set from the website – this is achieved with privacy controls that need to be pre-selected unchecked. If the user wants to give consent, it must actively – and freely – check the box.
Third, and most importantly, websites are not allowed - according to
recital 32 of the GDPR
- to store information on the users' end terminal unless:
"Consent is given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subjects' agreement to the processing of personal data relating to him or her."
When a website uses a third-party service that sets cookies (functional, statistical, or marketing), explicit consent must be obtained from the user, or else consent is not given. Therefore, pre-checked cookie boxes do not count as consent.