On October 1, 2019, the Court of Justice for the European Union ("CJEU") issued an important opinion regarding the scope of consent in the context of the General Data Protection Regulation ("GDPR"). Specifically, the Court determined that a company cannot validly obtain a user's consent to install cookies on his/her computer device through means of pre-checked boxes. Instead, the Court ruled that for a user's consent to be valid under the GDPR, consent must be both active and unambiguous.

Why don't pre-checked boxes constitute valid GDPR consent?

The Underlying Case

Planet49 GmbH ("Planet49"), an online gaming company, offered users the chance to participate in a promotional contest. Prior to participating in the promotional contest, users were prompted to enter certain personal information, including name, address, and postal code. Next, the site presented users with two check boxes:

  • The first box was not pre-checked, requiring users to check the box if they agreed to be contacted by other companies that offer promotions.
  • The second box was pre-checked, asking users to agree to install cookies on their devices.

Finally, users would need to click a "participation button" to enter the promotion.

The Court's Reasoning on Pre-Checked Boxes and Consent

The Court considered whether the pre-checked box qualified as valid user "consent" within the context of installing cookies on a user's device. Pursuant to the GDPR:

Consent should be given by a clear and affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her . . . .

The Court reasoned that, based on this language, the GDPR requires that consent be given actively, rather than passively. "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." The Court also stated that the GDPR requires that users provide an "unambiguous indication" of consent. The Court found that the word "indication" suggested that consent must be an affirmative act, and that a pre-checked box can never provide "unambiguous" consent, as there is no way to definitively establish that the user saw the checked box and consented to the applicable Terms.

Planet49 argued that because users clicked a participation button after entering personal information and reviewing the two check boxes, that the participation button qualified as the unambiguous indication that they had consented to the installation of cookies. The Court disagreed. The Court instead found that for consent to be freely given under the GDPR, "it must not only be active, but separate. The activity a user pursues on the internet . . . and the giving of consent cannot form part of the same act." In addition, the Court ruled that agreeing to a "bundle of expressions of intention" could not guarantee that the user consented to each item (receipt of promotional marketing, placement of cookies, etc.) in the bundle individually.

For the subject cookie consent to be valid, the Court explained, the user must be given clear and comprehensive information related to the installation of cookies. The Court detailed that clear and comprehensive information must include:

  • Duration that the cookies will remain operational; and
  • Whether third parties will have access to the cookie data.

Unless this information is provided to users, users will be unable to determine the consequences of accepting the Terms included in the check box.

How this Ruling Involving Pre-Checked Boxes and Consent Can Impact the US Market

Distilled to its core, this ruling requires that consent must be both active, rather than passive, and unambiguous. This now becomes the clear standard for consent insofar as the GDPR is concerned. Because the GDPR applies to data privacy issues in Europe, this CJEU ruling does not directly impact US-based companies which conduct business exclusively in the United States and do not have any EU customers. However, given the number of US companies that do conduct business in Europe, those entities should take caution to avoid using pre-checked boxes when seeking consent from their European customers. Additionally, this ruling is instructive with respect to marketing law within the United States, where we increasingly see issues of consent and the validity of pre-checked boxes contested in courts of law throughout the country.

Similar Blog Posts:

Court Limits the Scope of TCPA Consent

Comparing the California Consumer Privacy Act (CCPA) and the EU's General Data Protection Regulation (GDPR)

CCPA Exception Approved by California Legislature

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.