EU's top court says tracking cookies require actual consent before scarfing down user data
Filling out a checkbox in advance to encourage acceptance won't cut it
Websites may not present visitors with a pre-checked box that signals consent to the storage of HTTP cookies on their devices, according to a ruling [PDF] handed down on Tuesday by the Court of Justice of the European Union (CJEU).
The decision follows from the German Federation of Consumer Organizations' challenge of German company Planet49's use of a pre-ticked checkbox to obtain permission to place cookies on the devices of players of its online lottery game.
HTTP cookies are bits of data that get deposited by web servers on the devices of online visitors. They maintain stateful information – keeping data on a user who just visited logged in, for example – because HTTP is a stateless protocol. They're also widely used for ad-related tracking and analytics. And as such, they have implications for privacy and security.
Planet49 operates an online lottery website that in 2013 presented would-be players with an input box to enter a postal code, a name, and an address, with two sets of checkboxes. The first, to signal consent for various commercial offers, was not pre-selected. The second, to signal consent to have ad targeting cookies placed on one's device, was pre-selected.
The German Federation of Consumer Organizations (Bundesverband) complained in 2014 that the lottery website didn't adequately obtain the informed consent of the user under Article 5(3) of Europe's ePrivacy directive, which preceded the more stringent GDPR that took effect last year. And in the years that followed, the consumer group's lawsuit made its way through German courts to the CJEU, the European Union's equivalent of the US Supreme Court.
In March, Advocate General Maciej Szpunar, who advises the court, said Planet49 failed to obtain valid consent when it presented online lottery players with a pre-selected checkbox.
"[R]equiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent," Szpunar said in his opinion.
"In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable."
Szpunar also objected to linking lottery participation, enabled by the first checkbox, with cookie consent, agreed to by default in the second checkbox.
"In the end, a user only effectuates one click on the participation button in order to participate in the lottery. At the same time he consents to the installation of cookies," he wrote. "Two expressions of intention (participation in the lottery and consent to the installation of cookies) are made at the same time. These two expressions cannot both be subject to the same participation button."
Responding to Szpunar's opinion, ad industry group IAB Europe, noted that it has long understood "that GDPR compliance by the digital advertising industry cannot easily be achieved without close cooperation by all involved."
Thus it appears the digital advertising industry still has some work to do to become compliant, particularly now that CJEU has come to the same conclusion as the Advocate General.
Brave accuses Google of trampling Europe's GDPR with stealthy netizen-stalking advertsREAD MORE
The CJEU said it doesn't matter whether cookies represent personal data or not, "the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent."
The CJEU ruling underscores the need for online businesses to conform with Europe's cookie requirements, which direct websites to obtain consent before placing cookies. And it serves as a warning shot for website operators.
The court also makes clear that websites must disclose how long cookies will persist and whether or not third parties will be able access to those cookies. This will require existing websites serving European visitors to make code changes to display those cookie parameters.
The cookie consent crackdown comes as third-party cookies are increasingly being blocked by default. Between Apple's Intelligent Tracking Protection in Safari's WebKit engine and Mozilla's Enhanced Tracking Protection in Firefox, regulations like GDPR and the California Consumer Privacy Act, and ad blockers, internet users may actually secure a bit of privacy amid the global surveillance panopticon – unless Google manages to undermine hard-won protections through its suite of Privacy Sandbox proposals. ®