EU rules against ‘pre-ticked’ cookie checkboxes

While it has been mandatory in the UK to get user consent to store personal data in cookies since 2012, the latest case arose after a website started using 'pre-ticked' checkboxes for its visitors.

German company Planet49 was using such a system in connection with online promotional games to collect information for the purposes of advertising the firm’s partners’ products.

The German Federation of Consumer Organisations challenged this method at the ECJ and the court ruled in favour of it.

Yesterday’s judgment found that the consent which a website user must give to the storage of cookies on their devices “is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent”.

It also said the consent must be specific and cannot be included as part of another promotional tickbox.

The case was first brought to the ECJ in 2013 where the consumer organisation argued that the Planet49 method was illegal.

The German Federal Court of Justice asked for guidance from the EU’s highest court to rule on the case in relation to EU laws on internet privacy. The EU court sided with the German consumer group, saying EU law aimed to protect consumers from interference with their private lives.

“A pre-ticked check box is therefore insufficient,” the court said in a press release.

Luca Tosoni, research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo said in a statement that the ruling is “likely to have a significant impact on the ongoing negotiations on the ePrivacy regulation which is set to regulate cookie usage.”

Several of the largest internet companies, such as Facebook and Twitter, currently have implicit cookie consent, where by using the site consent is deemed to have been given.

The case predates General Data Protection Regulation (GDPR), the May 2018 internet privacy regulations that stipulate how companies must inform users about how their personal information is gathered.

The EU court also ruled that service providers had to fully inform users, including how long the cookies would operate for and whether third parties would have access to gathered data.