The EU’s General Data Protection Regulation (GDPR) was passed in 2016 and has been enforced since 2018. Although most companies have adopted cookie banners in an attempt to comply with the GDPR, many cookie notifications don’t actually meet the GDPR’s strict requirements.
One of the main reasons why these solutions aren’t GDPR-compliant is because they use pre-ticked GDPR checkboxes. Under the GDPR, organizations are not allowed to use opt-out or implied methods of consent, including silence, inactivity, and pre-ticked boxes.
GDPR Consent Requirements Overview
Compared to other privacy laws, the GDPR has a narrow definition of consent. As established in Article 7, organizations are prohibited from using implied or opt-out consent.
Instead, consent must be:
- A clear affirmative act
- Freely given
Additionally, businesses must give users an easy way to withdraw their consent after they’ve given it. Continue reading to learn why pre-ticked checkboxes don’t meet the GDPR’s definition of valid consent.
Do All Cookies Require User Consent?
The GDPR mentions cookies only once in its 88 pages. For more guidance we need to look at another EU regulation: the ePrivacy Directive — nicknamed the cookie law.
When reading the GDPR in conjunction with the ePrivacy Directive, internet cookies generally require user consent. This is because the purpose of the ePrivacy Directive is to protect users from interference in their “private sphere.” This includes the risks associated with hidden identifiers and similar files placed on users’ devices without their knowledge in addition to the users’ personal data.
However, there are two types of internet cookies that don’t require user consent.
1. Cookies that must be present for a site to provide basic functions
You don’t need user consent if you’re using strictly necessary cookies. These are cookies that must be present for the site to provide essential functions, which include:
- Cookies that enable your online shop to hold a customer’s items in their cart
- Authentication cookies
- User-centric security cookies
- Social media plugins for sharing content, as long as they don’t get used for tracking users
- UI customization cookies
2. Cookies that are used solely for communicating over an electronic communications network
These types of cookies are called load balancing cookies. They are also considered strictly necessary cookies and don’t require user consent as long as they’re stored on the user’s device for the duration of their session. Examples include cookies that:
- Exchange data in its intended order
- Send information over a network
- Detect data loss or transmission errors
All other cookies — typically related to analytics and advertising — require consent because they are geared toward the company’s benefit and not the benefit of its users.
Why Are Pre-Ticked Checkboxes Not Allowed?
Simply put, pre-ticked GDPR checkboxes aren’t allowed because they don’t constitute valid consent.
This issue was explored in detail by the Court of Justice of the European Union (CJEU) in the 2019 Planet49 case.
To sum it up: Planet49 ran a lottery on its website, and to join, users had to check a box to consent to receive marketing from third parties. Users could also choose to uncheck a pre-ticked box consenting to cookies.
In its ruling, the CJEU determined that websites must get valid user consent to store cookies on their devices. In particular, websites must give users the opportunity to provide active consent before placing cookies on the users’ computers.
Because pre-ticked GDPR checkboxes don’t require the user to do something to indicate their consent, they don’t count as valid consent. Instead of getting the user to check off a box to indicate their consent, pre-ticked checkboxes don’t require anything from the user, just silence and passivity.
The CJEU also noted that:
- Consent needs to be given “unambiguously,” and only active, affirmative behavior by the user can fulfill this requirement.
- It’s impossible to objectively determine whether a user has given informed consent by not selecting a pre-ticked checkbox. This is because the user may not have read the information next to the pre-ticked checkbox or may have skipped over the checkbox entirely.
The user should be able to actively select the checkbox they want to provide consent for if their consent is to be considered unambiguous.
Other considerations when determining consent
According to the May 2020 guidance on GDPR consent from the European Data Protection Board (EDPD), companies must also renew any consent obtained under the previous legal regime.
For example, before the GDPR, the ePrivacy Directive had allowed pre-ticked checkboxes as long as you used them to obtain consent.
This means that if you had used a pre-ticked checkbox before the GDPR came into force, you need to request consent again using a valid method.
When Are Pre-Ticked Boxes OK?
In short, pre-ticked boxes are not OK for non-essential cookies because they don’t meet the GDPR’s consent requirements, but you can display them for essential cookies.
Are Pre-Ticked Checkboxes OK for Essential Cookies?
There’s no need to use pre-ticked checkboxes for “essential” cookies that don’t require consent in the first place. Because they don’t require any kind of user consent, there’s no need to give users the ability to opt out of essential cookies.
However, if you want, you can choose to include a pre-ticked checkbox for essential cookies. Using a pre-ticked checkbox for essential cookies can help the audience understand the difference between essential and non-essential cookies and that they have the ability to opt in to non-essential cookies.
Are Pre-Ticked Checkboxes OK for Other Cookies?
No, pre-ticked checkboxes are not OK for non-essential cookies. As discussed above, non-essential cookies require valid consent. This means you can’t use a pre-ticked checkbox to get that consent.
What Happens If You Use Pre-Ticked Checkboxes for Cookies?
The EU is always on the lookout for companies that violate the GDPR and the ePrivacy Directive’s strict standards. Here are two recent examples illustrating what could happen if you don’t follow the EU’s rulings on cookies.
Google’s $121 million cookie fine
On Dec. 10, 2020, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), fined Google a whopping $121 million (100 million euros) for failing to get prior consent before placing non-essential cookies on users’ browsers.
The CNIL discovered that whenever users went to Google.fr, advertising cookies were automatically placed on their browsers without any action required from them. Google didn’t use a pre-ticked box, but it didn’t give users a way to opt in.
Google.fr had only an informational banner at the bottom of the page, which had a privacy reminder from Google and two buttons, “Access now” and “Remind me later.”
There was also no information about the non-essential advertising cookies that had already been placed on users’ computers when they arrived on Google.fr.
Amazon’s $42 million cookie fine
On the same day that Google got fined, the CNIL also fined Amazon $42 million (35 million euros).
Like Google.fr, Amazon.fr automatically placed cookies on users’ computers without requiring them to take any action to indicate consent. The information provided about the cookies was also “neither clear nor complete.”
The EU has established high standards for user consent. Pre-ticked boxes are no longer a valid way to get consent for cookies.
According to the GDPR and the ePrivacy Directive, consent must be freely given, informed, specific, and unambiguous, and it must be given through a clear and affirmative action. Websites must also give their users a straightforward way to withdraw their consent at any given time and organizations need to record proof that consent was given.