Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

How the cookie crumbles: pre-ticked consent boxes ruled invalid by the EU Court of Justice

October 17, 2019By Xavier Prida

The EU Court of Justice (EUCJ) recently ruled that a default consent to data processing is not in compliance with EU data protection laws and therefore does not amount to ‘valid consent’.

 At the core of the EUCJ decision was the interpretation of what constitutes ‘valid consent’ with regards to a pre-ticked checkbox used by Planet49 GmbH –a German online gambling company– which the user had to unselect to refuse consent. In determining this, the EUCJ also considered if the information that was stored or accessed constituted personal data and whether this should have any effect. To participate in the Planet49 event in question, the cookie would be placed on the terminal used by the person playing and linked to their registration details, which meant that the cookies were indeed a form of personal data processing.

In essence, the EUCJ decided that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not considered to be validly given by means of a pre-ticked checkbox. In reaching such decision, the EUCJ was unaffected by whether or not the information stored or accessed on the user’s equipment was personal data. EU data protection laws intend to protect the user from any interference with his or her private life and from the risk that hidden identifiers and other similar devices that enter those users’ terminal equipment without their knowledge and consent.  Article 5(3) of the Privacy and Electronic Communications Directive 2002 (PECR) refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data, and recital 24 clearly stipulates that any information stored in the terminal equipment of users of electronic communications networks are part of the private sphere of the users.

As for consent, recital 32 of the GDPR specifies this can include ticking a box when visiting a website, yet it expressly excludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent. In line with the Advocate General’s Opinion, the EUCJ found that the requirement for an ‘indication’ of a data subject’s consent was that the consent must be ‘active’ rather than ‘passive’, and that a pre-selected tick could not be seen as an active consent. The EUCJ also took into account article 7(a) of the Data Protection Directive 1995 (DPD) which states that to make such personal data processing lawful, the data subject must give their consent ‘unambiguously’. This requirement was determined as only fulfilled with an active behaviour. Therefore, the interpretation of the EUCJ was that consent referred to in the provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox. In this particular case, the EUCJ also found that the user selection of a button to participate in the promotional event was insufficient to be interpreted as a valid consent to the storage of cookies.

This decision remedies the unenforceability of –and the lack of compliance with– cookies consent provisions in the EU data protection laws and its transposition into national laws. The judgement, however, does not provide a clear answer as to what should be understood by ‘freely given consent’. Even so, before analysing the ‘freely given’ question, any consent obtained for placing cookies (or analogous technologies) on user devices will have to comply with all conditions (i.e. specific, informed and unambiguous indication of the data subject’s wishes). Meaning that even if one of the conditions is not met, then that consent will not be validly given.

These new implications for cookies consent, mean that website users must be provided with clear and comprehensive information as to the implications of that consent, which includes the type and duration of the operation of cookies and whether or not third parties may have access to those cookies. In practice, the controller must, in order to ensure fair and transparent processing, provide the data subject with information relating to the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period, so that a user is in a position to determine easily the consequences of any consent and ensure that the consent given is well informed.

Please contact Jose Saras and Xavier Prida if you have any questions relating to the use of cookies and obtaining consent.

Latest Preiskel & Co blog posts
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data
    March 28, 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023

The Preiskel Blog

  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data 28 Mar 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill 17 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data. Find out more here: https://t.co/bJkvPBvj6F2 hours ago
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y5 days ago
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets. Find o… https://t.co/S7J7sX3kfs6 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy