Website operators should take steps to ensure that they do not fall foul of a recent preliminary ruling on cookies by the Court of Justice of the European Union (CJEU). On 01 October 2019, the CJEU held that a user’s consent to the use of cookies is not valid if consent is given by way of a pre-ticked box.  

Background 

The case involved the online gaming company Planet49 GmbH which organised a lottery. To enter the lottery users had to enter their postcodes, names and addresses. They were then presented with two check boxes. The first check box contained information requiring the user to agree to being contacted by third parties with promotional offers. The first box had to be ticked in order for the user to participate in the lottery. The second, pre-ticked, box required the user to consent to the use of cookies on their device.

Referral to the CJEU

The CJEU was asked to consider whether obtaining consent for use of cookies by way of pre-ticked boxes is considered as valid consent. The CJEU was asked for further clarification on whether website operators have to provide users with information specifically related to the duration of the cookies. The court was also asked to confirm if users should be informed of any third parties which may have access to the cookies.

The CJEU held consent must be obtained through some active behaviour on the part of the user. The court found that a pre-checked box does not constitute valid consent.

The court, in its reading of Article 5(3) of the Privacy and Electronic Communications Directive (2002/58/EC), highlighted that whilst a user must give its consent, there is no description as to the way in which the consent must be given. The GDPR has, however, taken a much more stringent approach to obtaining consent. Under the GDPR consent must be freely given, specific, informed and an unambiguous indication of the individual’s wishes. The individual must also give a clear affirmative action and agreement that they wish their data to be processed.

Asking a user to untick a box, causing them to become active where they do not consent to the installation of the cookies, is not a valid consent. Actively ticking the box is, however, a clear and affirmative action of consent to the cookies being used.

This decision is not surprising given Recital 32 of the GDPR which states that “Silence, pre-ticked boxes should not therefore constitute consent”. The recent guidance on cookies from the Information Commissioner also takes this same view.

In relation to the separate questions put to the CJEU concerning the duration of the cookies and access of third parties, the court held that this information should be made available to the users.

What will this mean in practice?

It may be time to dust down and update your cookies policy. If your business uses pre-ticked boxes as a method of gaining consent for all cookies this will have to change. Businesses should ensure that consent is gained by active behaviour such as allowing the user to consent to the cookies. If you do not do so already, you should also make the user aware of how long the cookies will be used to process their data and inform them of any third parties that may have access to this information.