Using pre-checked consent boxes for cookies is now officially a breach of European privacy laws. The Court of Justice of the European Union has ruled that pre-ticked boxes violate requirements for unambiguous consent.
Let's explore and analyze this issue a bit deeper and find out what you can do to stay compliant.
- 1. The Case
- 2. The Ruling
- 3. The Ruling's Effects on the GDPR
- 4. The Ruling's Effects on Other Laws
- 4.1. California Consumer Privacy Act (CCPA)
- 4.2. California Online Privacy Protection Act (CalOPPA)
- 4.3. Children's Online Privacy Protection Rule (COPPA)
- 4.4. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 5. Examples of Compliance (and Non-)
- 6. Conclusion
The new ruling came from a case involving a German lottery website. A German court asked the Court of Justice of the European Union to clarify the correct interpretation of European law in relation to the case.
The case was decided from the position that putting cookies on to a person's computer is, in itself, an interference into their private life. That means the issue was not limited to cookies that involve personal information.
The court's ruling covered several points, starting with the principle that consent is necessary before issuing or accessing non-essential cookies. The court said it is invalid to rely on implied or assumed consent.
In turn it ruled that a pre-ticked checkbox is invalid because there's no conclusive evidence that the user intentionally consented to the cookies. The same applies to toggles set to "on" by default and similar measures.
The court also ruled that consent has to be "specific" meaning it can't be bundled with another signal from the user. In this case, the lottery website had treated a user signalling that they wanted to use the website as also signalling they consented to cookies.
The ruling also clarified that the site must give users clear details about cookies including how long they will remain active and whether or not they can be accessed by a third party.
One notable point absent from the ruling was whether or not a website can make accepting non-essential cookies (such as advertising trackers) a condition of accessing an online service, a set-up sometimes called a cookie wall. The court said it had not been asked by the German court to address this issue.
The Ruling's Effects on the GDPR
As well as specific cookie laws, the ruling is likely to set a precedent that will apply to future interpretations of the General Data Protection Regulation. That's a law that applies to data processing in three circumstances:
- The company controlling the data is in a European Union country
- The person the data relates to is in a European Union country
- The data is processed in a European Union country
One of the key components of the GDPR is that it very much increased the requirements for obtaining consent. "Consent" is defined in Article 4 of the GDPR as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
The court ruling clarifies the European Union's interpretation of an "unambiguous indication." That means continuing to use pre-ticked consent boxes is highly likely to breach the GDPR.
The Ruling's Effects on Other Laws
Several other international laws cover consent to cookies either implicitly or explicitly, with consequences for pre-ticked consent boxes. Here are a few of them.
California Consumer Privacy Act (CCPA)
The CCPA covers very large businesses ($25 million annual revenue or more), those which handle data about a large number of Californians (50,000 or more a year), and those which make more than half their money selling personal data.
The law mainly requires businesses to inform customers what personal data they collect and let them request it be deleted, rather than getting advance consent for data collection. It does let users opt out of their data being sold.
One area where consent boxes are relevant is that even if the user has opted out of their data being sold, there's an exemption when the consumer "uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party."
In this context, to "intentionally interact," the user must show their intention "via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party."
As the law has not yet come into force, it remains unclear whether a pre-ticked box would count as a deliberate interaction in this context.
California Online Privacy Protection Act (CalOPPA)
Children's Online Privacy Protection Rule (COPPA)
COPPA covers websites that are used by, or aimed at, children in the US aged under 13. Its main measure is that sites must get parental consent to collect and handle any data about such children, regardless of whether that data is personal or sensitive.
It says that sites can use "any reasonable effort (taking into consideration available technology)" to get parental consent. Though this appears open, the Federal Trade Commission has listed several acceptable methods to confirm the adult's identity. None of these involve simply completing an online form and ticking boxes.
This means any form of check-box for consent regarding under 13s, whether pre-ticked or not, could violate COPPA.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA affects most Canadian organizations processing data as part of their commercial activity. It states that organizations must seek "meaningful consent" for collecting, using or sharing personal data. It also says consent should generally be express rather than implied.
PIPEDA does not expressly ban pre-ticked consent boxes. However, using them will certainly breach the spirit of the rules.
Examples of Compliance (and Non-)
Ironically, the Court of Justice of the European Union's own site shows the difference the court ruling has made. Alexander Hanff of Think Privacy spotted that on the day of the ruling, the site included the following pre-ticked checkbox regarding a specific use of analytics cookies. This was no longer lawful following the ruling:
Soon afterwards, the site was updated. Rather than use a checkbox, it sets opting out as the default option and instead has an opt-in button. Note that the button comes directly after both an overview of the cookies in question and a link to further details:
Both the original and changed versions were on a dedicated page about cookies.
The court's site also uses a pop-up window that appears the first time the user visits any page on the site. This is necessary under the European cookie rules as the user must give prior consent for any non-essential cookies.
Note that the three-button system distinguishes between technically necessary cookies (which are allowed without consent) and "Accept all" which indicates the consent for non-essential cookies:
The Hotels Barriere site deals with cookies well but at the time of writing its approach needed updating to comply with the rules. While it's very useful to allow users to individually control consent for different types of cookies, having the toggles turned on (meaning consent is enabled by default) conflicts with the European court ruling:
Appropriately, the United Kingdom's Information Commissioner's Office complies with the rules while keeping users informed. Its cookie notice doesn't have a tickbox or toggle for "necessary cookies." Instead, it explains that disabling these cookies will have consequences. It does have a toggle for "Analytics cookies" but has it switched off by default so that a user switching it on will be an unambiguous indication of consent:
Let's recap what you need to know about pre-ticked consent boxes:
- The Court of Justice of the European Union ruled that a pre-ticked checkbox does not constitute valid consent for putting cookies on a computer.
- This establishes a precedent that likely applies to the GDPR's requirements for unambiguous consent for processing personal data.
- A pre-ticked consent box would be at best a gray area and at worst a clear violation of several North American privacy laws.
- As a result, avoiding pre-ticked consent boxes is the simplest way to avoid any risk of breaching privacy and data protection rules around the world.