In the latest General Data Protection Regulation (GDPR) news, the European Union (EU) Court of Justice ruled that companies cannot use pre-checked boxes to obtain consumer consent to be tracked with cookies and must instead obtain consent by a consumer’s “active behavior.”
Since the GDPR took effect on May 25, 2018, data protection authorities in the EU have wasted no time in launching enforcement actions and issuing fines.
The new decision involves a case filed by the German Federation of Consumer Organizations against Planet49, an online gaming company. Internet users who wished to take part in online promotional games and contests organized by the company were required to enter their names and addresses and were then presented with two bodies of explanatory text, accompanied by checkboxes.
A pre-selected box was featured next to the second body of text, which stated, “I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the games, the organizer sets cookies, which enables Planet49 to evaluate my surfing and use behavior on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here.”
The word “here” was hyperlinked to a list of 57 companies, their addresses, the commercial sector to be advertised and the method of communication for the advertising (email, mail or telephone), with the word “unsubscribe” after the name of each company.
This method of obtaining consent violated EU law, the court said, which requires that consent must be given “unambiguously.”
“Only active behavior on the part of the data subject with a view to giving his or her consent may fulfill that requirement,” the court wrote. “In that regard, it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited.”
The fact that a user selects a pre-checked button to participate cannot be “sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies,” the court concluded.
To read the decision, click here.
Why it matters: This ruling is of particular importance to any business that operates a website or other online service (such as a mobile app) that has visitors from the EU, as you should reevaluate your current procedures for obtaining consumer consent to store cookies. According to this decision, two common forms of consent will not be sufficient: (1) the use of a pre-checked box and (2) a cookie banner that states that consent to store cookies is assumed by the consumer browsing the website and not otherwise affirmatively indicating his or her consent.
The court found that for consent to be freely given under the GDPR, “it must not only be active, but separate. The activity a user pursues on the internet...and the giving of consent cannot form part of the same act.” In addition, the court ruled that agreeing to a “bundle of expressions of intention” could not guarantee that the user consented to each item (receipt of promotional marketing, placement of cookies, etc.) in the bundle individually.
For the subject cookie consent to be valid, the court explained, the user must be given clear and comprehensive information related to the installation of cookies. The court detailed that clear and comprehensive information must include:
- Duration that the cookies will remain operational
- Whether third parties will have access to the cookie data
Unless this information is provided to users, they will be unable to determine the consequences of accepting the terms included in the checkbox.