22 March 2021
When the General Data Protection Regulation (GDPR) passed in 2016, websites started putting up cookie banners in preparation for its 2018 enforcement date. But many of these cookie banners didn't actually comply with the new consent thresholds imposed by the GDPR.
Nearly five years have passed, and most cookie consent solutions remain invalid. But the EU's Data Protection Authorities have started cracking down on non-compliant cookie consent mechanisms.
One of the more common violations of EU consent rules is the pre-ticked box. This article will explain why pre-ticked boxes are unacceptable under EU law and look at the best alternative cookie consent solutions.
Merely making your website accessible to EU users doesn't mean you need to comply with EU privacy law. However, non-EU companies have to comply with EU privacy law if they:
The EU's cookie consent rules also apply in the UK, Iceland, Liechtenstein, and Norway. When we use the term "the EU" in this article, we're also referring to these countries.
Remember that the EU has the strictest consumer privacy laws in the world. In some jurisdictions, it is perfectly lawful to operate an opt-out model of cookie consent. In others, you don't need to request consent for cookies at all. For more information, see our article Cookie Consent Outside of the EU.
Let's look at some EU laws and legal cases that explain why pre-ticked boxes are not allowed under the GDPR.
The ePrivacy Directive is an older EU law that has been adopted into the national laws of each EU country (plus the UK, Iceland, Liechtenstein, and Norway).
The ePrivacy Directive states that website and app operators must seek consent before accessing information stored on users' devices or placing information on users' devices (with some exceptions). This includes using cookies and other tracking technologies.
The GDPR passed in 2016, repealing an older law known as the Data Protection Directive, and updated the EU's standard of consent.
The GDPR's standard of consent is among the strictest in the world. Under the GDPR, consent must be:
Under this strict standard of consent, only opt-in consent solutions are valid. The user must take an affirmative action to indicate that they consent, not to indicate that they don't consent.
Among EU countries, there had been some disagreements about the rules on consent. These disagreements were settled by an October 2019 case before the Court of Justice of the European Union (CJEU) known as "Planet49."
Planet49 ran a lottery on its website. To enter the lottery, users had to tick a box consenting to receive marketing from third parties. They could also, optionally, untick a pre-ticked box consenting to cookies.
The CJEU said it would be "near impossible" to determine whether the user had actually consented merely because they had failed to untick the box.
Therefore, the court ruled that a pre-ticked box is not valid for obtaining users' consent.
The Planet49 case also provided some other important interpretations of EU privacy law:
The European Data Protection Board (EDPD) published some updated guidance on GDPR consent in May 2020. This guidance clearly states that pre-ticked boxes are not a valid way to obtain consent under the GDPR.
The EDPB also states that any consent obtained under the old standard of consent will have to be renewed in order to meet the GDPR's higher standard.
This means that if you previously used a pre-ticked box to obtain users' consent, you'll need to make a new request using a valid consent mechanism.
On December 10, 2020, France's Data Protection Authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), fined Amazon €35 million ($42 million). The fine followed directly from the CJEU's Planet49 decision.
The CNIL fined Amazon because "when a user visited [Amazon.fr], cookies were automatically placed on his or her computer, without any action required on his or her part." The CNIL also noted that the information provided about cookies "was neither clear nor complete."
Amazon placed cookies on a user's device before the user had the opportunity to opt out of cookies or read Amazon's Cookies Policy.
Also on December 10, the CNIL fined Google a total of €100 million ($121 million) because it had "not complied with the requirement... regarding the collection of prior consent before placing cookies that are not essential to the service."
Again, Google did not use a pre-ticked box, as such. Rather, its cookie banner offered two options regarding cookies: "access now" and "remind me later." If the user did nothing, cookies were placed on their device. This was, therefore, a form of "opt-out" consent: much like a pre-ticked box.
The CNIL also criticized Google for its failure to provide sufficient information to users about the purposes of cookies before placing them on users' devices.
So, given that a pre-ticked box is off the cards, how can you get legally valid cookie consent in the EU?
If your current cookie consent solution involves a pre-ticked box, you can simply untick it to present users with an opt-in solution instead.
A good cookie consent mechanism provides two clear options: accept or reject cookies. It should be as easy for your users to accept as to reject cookies. You must not set non-essential cookies on a user's device until they click "accept."
Note that so-called "cookie walls," that make access to a website or service conditional on accepting cookies, are not allowed in the EU. For more information, see our article GDPR: No Cookie Consent Walls.
Most websites use a simple "cookie banner" to request consent for cookies. Here's an example from the European Central Bank:
Note that the European Central Bank provides a link to its Cookies Policy alongside its consent request.
In the EU context, a Cookies Policy must explain:
For more information, see our article How to Write a Cookies Policy.
There are two broad types of cookies that don't require consent under the ePrivacy Directive. Here's the relevant section of the law, at Article 5 Section 3:
The following two types of cookies are identified in this part of the directive:
The Article 29 Working Party (which has now been succeeded by the EDPB) states that activities constituting the "transmission of a communication over an electronic communications network" include:
These sorts of activities are carried out by "load-balancing cookies," so long as they are only stored on the user's device for the duration of their session.
The Working Party identifies the following types of cookies as being "strictly necessary" to provide a service requested by the user:
All other types of cookies require consent. Generally speaking, such cookies relate to analytics and advertising. These services are primarily for your benefit rather than for the benefit of your users.
If you're using either type of the "necessary" cookies that don't require consent, you don't need to use any consent mechanism at all before placing these on users' devices. There is no need to offer an opt-out, whether via a pre-ticked box or otherwise.
Using a pre-ticked box is a valid way to offer users an opt-out of direct marketing communications where you are processing personal data under the lawful basis of "legitimate interests." However, this is not relevant to using non-essential cookies, which require user consent.
As such, many website operators choose to allow users to opt out of non-essential cookies, but make it clear that it is not possible to opt out of essential or "necessary" cookies.
Here's an example from the ICO:
While pre-ticked boxes don't meet the EU's standard of consent, it is actually acceptable to use pre-ticked boxes for direct marketing purposes in certain circumstances.
Consent is just one of the GDPR's lawful bases. Think of the lawful bases as valid reasons for processing personal data. Another important lawful basis is "legitimate interests." If you're relying on legitimate interests to process someone's personal data, you don't need to ask permission.
Recital 47 of the GDPR states that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
Recital 41 of the ePrivacy Directive states that "within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services..."
It is possible to send someone direct marketing via email or SMS based on your legitimate interests, as long as:
They had the opportunity to opt out, both:
Before seeking to rely on legitimate interests, you should carry out a legitimate interests assessment.
Here's an example of a pre-ticked box for direct marketing purposes, presented at the point of sale on The Cooden Beach Hotel's website:
Pre-ticked boxes are not a valid way to obtain consent for cookies under the GDPR. Make sure you use a cookie consent mechanism that recognizes the GDPR's standard of consent. Under the GDPR, consent must be: