Pre-Ticked GDPR Checkboxes for Cookies Are Not Allowed

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: January 6, 2022

Cookie Consent Manager
Pre-Ticked-GDPR-Checkboxes-for-Cookies-Are-Not-Allowed-01

The EU’s General Data Protection Regulation (GDPR) was passed in 2016 and has been enforced since 2018. Although most companies have adopted cookie banners in an attempt to comply with the GDPR, many cookie notifications don’t actually meet the GDPR’s strict requirements.

One of the main reasons why these solutions aren’t GDPR-compliant is because they use pre-ticked GDPR checkboxes. Under the GDPR, organizations are not allowed to use opt-out or implied methods of consent, including silence, inactivity, and pre-ticked boxes.

Read on to learn more about why pre-ticked GDPR checkboxes aren’t generally allowed for getting consent for cookies, when they are allowed, and how you can generate a GDPR compliant cookie policy.

Table of Contents
  1. GDPR Consent Requirements Overview
  2. Do All Cookies Require User Consent?
  3. Why Are Pre-Ticked Checkboxes Not Allowed?
  4. When Are Pre-Ticked Boxes OK?
  5. What Happens If You Use Pre-Ticked Checkboxes for Cookies?
  6. Conclusion

Compared to other privacy laws, the GDPR has a narrow definition of consent. As established in Article 7, organizations are prohibited from using implied or opt-out consent.

Instead, consent must be:

  • A clear affirmative act
  • Freely given
  • Specific
  • Informed
  • Unambiguous

Additionally, businesses must give users an easy way to withdraw their consent after they’ve given it. Continue reading to learn why pre-ticked checkboxes don’t meet the GDPR’s definition of valid consent.

The GDPR mentions cookies only once in its 88 pages. For more guidance we need to look at another EU regulation: the ePrivacy Directive — nicknamed the cookie law.

When reading the GDPR in conjunction with the ePrivacy Directive, internet cookies generally require user consent. This is because the purpose of the ePrivacy Directive is to protect users from interference in their “private sphere.” This includes the risks associated with hidden identifiers and similar files placed on users’ devices without their knowledge in addition to the users’ personal data.

However, there are two types of internet cookies that don’t require user consent.

1. Cookies that must be present for a site to provide basic functions

You don’t need user consent if you’re using strictly necessary cookies. These are cookies that must be present for the site to provide essential functions, which include:

  • Cookies that enable your online shop to hold a customer’s items in their cart
  • Authentication cookies
  • User-centric security cookies
  • Social media plugins for sharing content, as long as they don’t get used for tracking users
  • UI customization cookies

2. Cookies that are used solely for communicating over an electronic communications network

These types of cookies are called load balancing cookies. They are also considered strictly necessary cookies and don’t require user consent as long as they’re stored on the user’s device for the duration of their session. Examples include cookies that:

  • Exchange data in its intended order
  • Send information over a network
  • Detect data loss or transmission errors

All other cookies — typically related to analytics and advertising — require consent because they are geared toward the company’s benefit and not the benefit of its users.

Why Are Pre-Ticked Checkboxes Not Allowed?

Simply put, pre-ticked GDPR checkboxes aren’t allowed because they don’t constitute valid consent.

This issue was explored in detail by the Court of Justice of the European Union (CJEU) in the 2019 Planet49 case.

To sum it up: Planet49 ran a lottery on its website, and to join, users had to check a box to consent to receive marketing from third parties. Users could also choose to uncheck a pre-ticked box consenting to cookies.

In its ruling, the CJEU determined that websites must get valid user consent to store cookies on their devices. In particular, websites must give users the opportunity to provide active consent before placing cookies on the users’ computers.

Because pre-ticked GDPR checkboxes don’t require the user to do something to indicate their consent, they don’t count as valid consent. Instead of getting the user to check off a box to indicate their consent, pre-ticked checkboxes don’t require anything from the user, just silence and passivity.

The CJEU also noted that:

  • Consent needs to be given “unambiguously,” and only active, affirmative behavior by the user can fulfill this requirement.
  • It’s impossible to objectively determine whether a user has given informed consent by not selecting a pre-ticked checkbox. This is because the user may not have read the information next to the pre-ticked checkbox or may have skipped over the checkbox entirely.
  • You can’t get valid consent for multiple purposes through the same request. For instance, you can’t get valid consent from a user if they select a checkbox to disclose information to sponsors and allow the use of cookies.

The user should be able to actively select the checkbox they want to provide consent for if their consent is to be considered unambiguous.

Other considerations when determining consent

According to the May 2020 guidance on GDPR consent from the European Data Protection Board (EDPD), companies must also renew any consent obtained under the previous legal regime.

For example, before the GDPR, the ePrivacy Directive had allowed pre-ticked checkboxes as long as you used them to obtain consent.

This means that if you had used a pre-ticked checkbox before the GDPR came into force, you need to request consent again using a valid method.

When Are Pre-Ticked Boxes OK?

In short, pre-ticked boxes are not OK for non-essential cookies because they don’t meet the GDPR’s consent requirements, but you can display them for essential cookies.

Are Pre-Ticked Checkboxes OK for Essential Cookies?

There’s no need to use pre-ticked checkboxes for “essential” cookies that don’t require consent in the first place. Because they don’t require any kind of user consent, there’s no need to give users the ability to opt out of essential cookies.

However, if you want, you can choose to include a pre-ticked checkbox for essential cookies. Using a pre-ticked checkbox for essential cookies can help the audience understand the difference between essential and non-essential cookies and that they have the ability to opt in to non-essential cookies.

Are Pre-Ticked Checkboxes OK for Other Cookies?

No, pre-ticked checkboxes are not OK for non-essential cookies. As discussed above, non-essential cookies require valid consent. This means you can’t use a pre-ticked checkbox to get that consent.

What Happens If You Use Pre-Ticked Checkboxes for Cookies?

The EU is always on the lookout for companies that violate the GDPR and the ePrivacy Directive’s strict standards. Here are two recent examples illustrating what could happen if you don’t follow the EU’s rulings on cookies.

Google’s $121 million cookie fine

On Dec. 10, 2020, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), fined Google a whopping $121 million (100 million euros) for failing to get prior consent before placing non-essential cookies on users’ browsers.

The CNIL discovered that whenever users went to Google.fr, advertising cookies were automatically placed on their browsers without any action required from them. Google didn’t use a pre-ticked box, but it didn’t give users a way to opt in.

Google.fr had only an informational banner at the bottom of the page, which had a privacy reminder from Google and two buttons, “Access now” and “Remind me later.”

There was also no information about the non-essential advertising cookies that had already been placed on users’ computers when they arrived on Google.fr.

Amazon’s $42 million cookie fine

On the same day that Google got fined, the CNIL also fined Amazon $42 million (35 million euros).

Like Google.fr, Amazon.fr automatically placed cookies on users’ computers without requiring them to take any action to indicate consent. The information provided about the cookies was also “neither clear nor complete.”

Like with Google.fr, Amazon’s cookie banner didn’t give users a way to opt in to the cookies, and the site placed cookies on users’ devices before they had the opportunity to read Amazon’s cookie policy or opt out. Instead, it said that users were deemed to have accepted the site’s use of cookies by using the website.

Conclusion

The EU has established high standards for user consent. Pre-ticked boxes are no longer a valid way to get consent for cookies.

According to the GDPR and the ePrivacy Directive, consent must be freely given, informed, specific, and unambiguous, and it must be given through a clear and affirmative action. Websites must also give their users a straightforward way to withdraw their consent at any given time and organizations need to record proof that consent was given.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources