GDPR: Don't Use Pre-Ticked Boxes for Cookies

Last updated on 22 March 2021 by Robert Bateman (TermsFeed Privacy and Data Protection Research Writer)

GDPR: Don't Use Pre-Ticked Boxes for Cookies

When the General Data Protection Regulation (GDPR) passed in 2016, websites started putting up cookie banners in preparation for its 2018 enforcement date. But many of these cookie banners didn't actually comply with the new consent thresholds imposed by the GDPR.

Nearly five years have passed, and most cookie consent solutions remain invalid. But the EU's Data Protection Authorities have started cracking down on non-compliant cookie consent mechanisms.

One of the more common violations of EU consent rules is the pre-ticked box. This article will explain why pre-ticked boxes are unacceptable under EU law and look at the best alternative cookie consent solutions.


Do I Need to Comply With EU Privacy Law?

Merely making your website accessible to EU users doesn't mean you need to comply with EU privacy law. However, non-EU companies have to comply with EU privacy law if they:

  • Offer goods or services to consumers in the EU, or
  • Monitor the behavior of people in the EU

Monitoring the behavior of people in the EU can include using cookies that track their behavior across websites, devices, or apps. Therefore, if your website uses cookies for advertising or analytics, you probably do need to comply with EU privacy law in respect of EU visitors.

The EU's cookie consent rules also apply in the UK, Iceland, Liechtenstein, and Norway. When we use the term "the EU" in this article, we're also referring to these countries.

Remember that the EU has the strictest consumer privacy laws in the world. In some jurisdictions, it is perfectly lawful to operate an opt-out model of cookie consent. In others, you don't need to request consent for cookies at all. For more information, see our article Cookie Consent Outside of the EU.

What's Wrong With Pre-Ticked Boxes?

Let's look at some EU laws and legal cases that explain why pre-ticked boxes are not allowed under the GDPR.

ePrivacy Directive

The ePrivacy Directive is an older EU law that has been adopted into the national laws of each EU country (plus the UK, Iceland, Liechtenstein, and Norway).

The ePrivacy Directive states that website and app operators must seek consent before accessing information stored on users' devices or placing information on users' devices (with some exceptions). This includes using cookies and other tracking technologies.

General Data Protection Regulation (GDPR)

The GDPR passed in 2016, repealing an older law known as the Data Protection Directive, and updated the EU's standard of consent.

The GDPR's standard of consent is among the strictest in the world. Under the GDPR, consent must be:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
  5. Given via a clear, affirmative action
  6. Easy to withdraw

Under this strict standard of consent, only opt-in consent solutions are valid. The user must take an affirmative action to indicate that they consent, not to indicate that they don't consent.

Planet49 Case

Among EU countries, there had been some disagreements about the rules on consent. These disagreements were settled by an October 2019 case before the Court of Justice of the European Union (CJEU) known as "Planet49."

Planet49 ran a lottery on its website. To enter the lottery, users had to tick a box consenting to receive marketing from third parties. They could also, optionally, untick a pre-ticked box consenting to cookies.

The CJEU said it would be "near impossible" to determine whether the user had actually consented merely because they had failed to untick the box.

Therefore, the court ruled that a pre-ticked box is not valid for obtaining users' consent.

The Planet49 case also provided some other important interpretations of EU privacy law:

  • Your Privacy Policy or Cookies Policy should inform users of the duration for which cookies will be stored on their devices
  • You must not request consent for multiple purposes via the same request (for example, consent to set cookies and to send direct marketing correspondence)
  • You must obtain consent via "an active behavior" that gives a "clear view" of the user's wishes. As such, cookies notices that read "by using our website, you agree to the use of cookies" are likely to be invalid. This is reinforced by the recent fines imposed on Google and Amazon, which we'll explore below.

European Data Protection Board

The European Data Protection Board (EDPD) published some updated guidance on GDPR consent in May 2020. This guidance clearly states that pre-ticked boxes are not a valid way to obtain consent under the GDPR.

The EDPB also states that any consent obtained under the old standard of consent will have to be renewed in order to meet the GDPR's higher standard.

This means that if you previously used a pre-ticked box to obtain users' consent, you'll need to make a new request using a valid consent mechanism.

On December 10, 2020, France's Data Protection Authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), fined Amazon €35 million ($42 million). The fine followed directly from the CJEU's Planet49 decision.

The CNIL fined Amazon because "when a user visited [Amazon.fr], cookies were automatically placed on his or her computer, without any action required on his or her part." The CNIL also noted that the information provided about cookies "was neither clear nor complete."

Amazon's cookie banner did not use a pre-ticked box, but it demonstrated the same flawed approach to cookie consent. According to the CNIL, Amazon's cookie banner read: "By using this website, you accept our use of cookies allowing to offer and improve our services."

Amazon placed cookies on a user's device before the user had the opportunity to opt out of cookies or read Amazon's Cookies Policy.

Also on December 10, the CNIL fined Google a total of €100 million ($121 million) because it had "not complied with the requirement... regarding the collection of prior consent before placing cookies that are not essential to the service."

Again, Google did not use a pre-ticked box, as such. Rather, its cookie banner offered two options regarding cookies: "access now" and "remind me later." If the user did nothing, cookies were placed on their device. This was, therefore, a form of "opt-out" consent: much like a pre-ticked box.

The CNIL also criticized Google for its failure to provide sufficient information to users about the purposes of cookies before placing them on users' devices.

So, given that a pre-ticked box is off the cards, how can you get legally valid cookie consent in the EU?

If your current cookie consent solution involves a pre-ticked box, you can simply untick it to present users with an opt-in solution instead.

A good cookie consent mechanism provides two clear options: accept or reject cookies. It should be as easy for your users to accept as to reject cookies. You must not set non-essential cookies on a user's device until they click "accept."

Note that so-called "cookie walls," that make access to a website or service conditional on accepting cookies, are not allowed in the EU. For more information, see our article GDPR: No Cookie Consent Walls.

Most websites use a simple "cookie banner" to request consent for cookies. Here's an example from the European Central Bank:

European Central Bank cookie consent notice banner

Note that the European Central Bank provides a link to its Cookies Policy alongside its consent request.

Do I Need a Cookies Policy?

Any website or app using cookies requires a Cookies Policy or Privacy Policy that explains how and why it uses cookies.

In the EU context, a Cookies Policy must explain:

  • What cookies are
  • Why you use them
  • The types of cookies you use
  • How long cookies will be stored on the user's device
  • How to manage cookies

For more information, see our article How to Write a Cookies Policy.

There are two broad types of cookies that don't require consent under the ePrivacy Directive. Here's the relevant section of the law, at Article 5 Section 3:

EUR-Lex ePrivacy Directive: Article 5 Section 3

The following two types of cookies are identified in this part of the directive:

  1. Cookies used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network"
  2. Cookies that are "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide the service"

The Article 29 Working Party (which has now been succeeded by the EDPB) states that activities constituting the "transmission of a communication over an electronic communications network" include:

  • Routing information over a network, e.g. identification of communication endpoints
  • Exchanging data in its intended order, e.g. numbering of data packets
  • Detecting transmission errors or data loss

These sorts of activities are carried out by "load-balancing cookies," so long as they are only stored on the user's device for the duration of their session.

The Working Party identifies the following types of cookies as being "strictly necessary" to provide a service requested by the user:

  • ID cookies to remember form inputs and shopping cart contents
  • Authentication cookies
  • Certain security cookies
  • Cookies to remember the user's media playback position
  • User-interface customization cookies
  • Social media plugins for sharing content (as long as they are not used for tracking)

All other types of cookies require consent. Generally speaking, such cookies relate to analytics and advertising. These services are primarily for your benefit rather than for the benefit of your users.

Can I Use a Pre-Ticked Box for Essential Cookies?

If you're using either type of the "necessary" cookies that don't require consent, you don't need to use any consent mechanism at all before placing these on users' devices. There is no need to offer an opt-out, whether via a pre-ticked box or otherwise.

Using a pre-ticked box is a valid way to offer users an opt-out of direct marketing communications where you are processing personal data under the lawful basis of "legitimate interests." However, this is not relevant to using non-essential cookies, which require user consent.

As such, many website operators choose to allow users to opt out of non-essential cookies, but make it clear that it is not possible to opt out of essential or "necessary" cookies.

Here's an example from the ICO:

ICO cookie consent notice with necessary and analytics cookies

Can I Use a Pre-Ticked Box for Other Purposes?

While pre-ticked boxes don't meet the EU's standard of consent, it is actually acceptable to use pre-ticked boxes for direct marketing purposes in certain circumstances.

Consent is just one of the GDPR's lawful bases. Think of the lawful bases as valid reasons for processing personal data. Another important lawful basis is "legitimate interests." If you're relying on legitimate interests to process someone's personal data, you don't need to ask permission.

Recital 47 of the GDPR states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

Recital 41 of the ePrivacy Directive states that "within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services..."

It is possible to send someone direct marketing via email or SMS based on your legitimate interests, as long as:

  • They provided their contact details when making a purchase or making an inquiry about a purchase of your products or services
  • You only send them marketing materials relating your own similar products or services
  • They had the opportunity to opt out, both:

    • When they first provided their contact details
    • In every marketing email or SMS you subsequently send them

Before seeking to rely on legitimate interests, you should carry out a legitimate interests assessment.

Here's an example of a pre-ticked box for direct marketing purposes, presented at the point of sale on The Cooden Beach Hotel's website:

The Cooden Beach Hotel marketing communications sign-up form with pre-ticked checkbox

Note that The Cooden Beach Hotel presents its Privacy Policy at the point of collecting personal data from the user.

Summary

Pre-ticked boxes are not a valid way to obtain consent for cookies under the GDPR. Make sure you use a cookie consent mechanism that recognizes the GDPR's standard of consent. Under the GDPR, consent must be:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
  5. Given via a clear, affirmative action
  6. Easy to withdraw
Robert Bateman

Robert Bateman

TermsFeed Privacy and Data Protection Research Writer

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.