Referral to the CJEU
The CJEU held consent must be obtained through some active behaviour on the part of the user. The court found that a pre-checked box does not constitute valid consent.
The court, in its reading of Article 5(3) of the Privacy and Electronic Communications Directive (2002/58/EC), highlighted that whilst a user must give its consent, there is no description as to the way in which the consent must be given. The GDPR has, however, taken a much more stringent approach to obtaining consent. Under the GDPR consent must be freely given, specific, informed and an unambiguous indication of the individual’s wishes. The individual must also give a clear affirmative action and agreement that they wish their data to be processed.
Asking a user to untick a box, causing them to become active where they do not consent to the installation of the cookies, is not a valid consent. Actively ticking the box is, however, a clear and affirmative action of consent to the cookies being used.
This decision is not surprising given Recital 32 of the GDPR which states that “Silence, pre-ticked boxes should not therefore constitute consent”. The recent guidance on cookies from the Information Commissioner also takes this same view.
In relation to the separate questions put to the CJEU concerning the duration of the cookies and access of third parties, the court held that this information should be made available to the users.
What will this mean in practice?
It may be time to dust down and update your cookies policy. If your business uses pre-ticked boxes as a method of gaining consent for all cookies this will have to change. Businesses should ensure that consent is gained by active behaviour such as allowing the user to consent to the cookies. If you do not do so already, you should also make the user aware of how long the cookies will be used to process their data and inform them of any third parties that may have access to this information.