Cookies: No pre-ticked boxes allowed!

Requiring website users to uncheck a pre-ticked box does not count as valid cookie consent under the GDPR, says EU top court advisor.
Table of Contents
On March 21, 2019, Advocate General Maciej Szpunar published his opinion in the case against a German lottery website run by Planet49 GmbH.
The case, which is currently pending before the Court of Justice of the European Union (CJEU), centers on collecting consent for the use of cookies and the processing of personal data
Although Maciej Szpunar’s opinions are not binding – though often followed by the CJEU – the case’s outcome is much-anticipated by regulators and data protection authorities.

Pre-selected cookie boxes

The case against Planet49 centers around two checkboxes which meet visitors and would-be players when they visit the website.
The first – a requirement of participation – was unchecked and asked the users to agree to receive material from sponsors and partners for marketing purposes. The second box – asking users to consent to the site’s cookies – was pre-selected i.e., pre-checked for accepting all cookies.
The Advocate General’s understanding is that the pre-ticked box for cookies does not provide valid consent according to the GDPR. The fact that users must deselect the box to decline cookie consent does not comply with the GDPR’s provisions for consent being “freely given” and “informed”. Websites and companies cannot assume that the users actively give their consent to cookies by not unchecking a box.
Finally, the Advocate General clarifies that users must be provided with clear information about the use of cookies. This information must specify all third parties that store – and have access to – cookies and for how long the cookies will be stored in the user’s browser.

IAB – we are not surprised

The concept that pre-ticked boxes for cookie consent do not meet the bar for consent is nothing new and not controversial.
The IAB Europe - AdTech industry body - released an announcement stating that the Advocate General's opinion was not surprising.

"Any publisher, advertiser or technology company who was surprised by the Advocate General's opinion should take this as a subtle hint to up their data protection game, and consider adopting the Framework with a view to achieving greater GDPR and ePrivacy Directive compliance ."

Link: IAB article
Still, given the widespread use of pre-ticked cookie boxes and in-active consents, privacy advocates welcome the fact that the issue has been addressed officially. They are awaiting clear confirmation on the matter by the EU’s top court.

How to get GDPR cookie compliant

A website must meet certain standards – being company or privately owned – to comply with the GDPR.
First, website users must be informed appropriately about cookies’ usage, which cookies are set; and who are the operators (parties) that have set cookies.
Second, users must be given the possibility to accept or decline the storage of cookies set from the website – this is achieved with privacy controls that need to be pre-selected unchecked. If the user wants to give consent, it must actively – and freely – check the box.
Third, and most importantly, websites are not allowed - according to recital 32 of the GDPR - to store information on the users' end terminal unless:

"Consent is given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subjects' agreement to the processing of personal data relating to him or her."

When a website uses a third-party service that sets cookies (functional, statistical, or marketing), explicit consent must be obtained from the user, or else consent is not given. Therefore, pre-checked cookie boxes do not count as consent.