The first – a requirement of participation – was unchecked and asked the users to agree to receive material from sponsors and partners for marketing purposes. The second box – asking users to consent to the site’s cookies – was pre-selected i.e., pre-checked for accepting all cookies.
The Advocate General’s understanding is that the pre-ticked box for cookies does not provide valid consent according to the GDPR. The fact that users must deselect the box to decline cookie consent does not comply with the GDPR’s provisions for consent being “freely given” and “informed”. Websites and companies cannot assume that the users actively give their consent to cookies by not unchecking a box.
Still, given the widespread use of pre-ticked cookie boxes and in-active consents, privacy advocates welcome the fact that the issue has been addressed officially. They are awaiting clear confirmation on the matter by the EU’s top court.
First, website users must be informed appropriately about cookies’ usage, which cookies are set; and who are the operators (parties) that have set cookies.
Second, users must be given the possibility to accept or decline the storage of cookies set from the website – this is achieved with privacy controls that need to be pre-selected unchecked. If the user wants to give consent, it must actively – and freely – check the box.
When a website uses a third-party service that sets cookies (functional, statistical, or marketing), explicit consent must be obtained from the user, or else consent is not given. Therefore, pre-checked cookie boxes do not count as consent.