The European Court of Justice (ECJ) has handed down a preliminary ruling in a case focussing on the validity of consent obtained from internet users by means of pre-ticked checkbox, and information obligations regarding cookies. The ECJ was reviewing the cookie consent requirements in accordance with the Cookie Directive 2002/58/EC (Cookie Directive), and the General Data Protection Regulation 2016/679/EU (GDPR).
The proceedings concerned participants in a promotional lottery organised by Planet49 GMBH, an online gaming company; participants entering the lottery were faced with a number of checkboxes including a pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time.
The pre-ticked checkbox authorised the collection and processing of the users personal data. Therefore the first question put before the ECJ was whether a lottery participant gave valid consent by way of a pre-ticked checkbox, which must be deselected to refuse his or her consent?
Pre-ticked checkboxes do not lead to valid consent
The ECJ found that whilst a user’s consent may be given by “ticking a box when visiting an internet website”, consent is defined as being “any freely given specific and informed indication” of a user’s decision. The ECJ also reviewed the legislative origins of Article 5(3) of the Cookie Directive and concluded that the “user consent may no longer be presumed but must be the result of the active behaviour on the part of the user.”
The ECJ also highlighted that the definition of active consent under GDPR expressly precludes “silence, pre-ticked boxes or inactivity”. Therefore consent given in the form of a pre-ticked checkbox does not imply active behaviour on the part of a website user.
This led the ECJ to conclude that the mere fact a user selects the button to participate in the promotional lottery organised by a company, cannot be deemed sufficient to conclude that the user validly gave his or her consent to the storage of cookies.
Implications for different types of cookies
The ECJ also confirmed that its interpretation regarding consent to cookies, applies to any information stored or accessed on a website user’s terminal equipment regardless of whether it would be deemed personal data within the meaning of GDPR. In other words, the consent requirements set out above, apply to personal data and non-personal data.
Finally, the ECJ held that the list of information that the service provider must give to a website user when collecting information, includes the duration of the operation of cookies and whether or not their parties may have access to those cookies.
Whilst the ECJ’s Judgment is not a surprise, it does help to clarify the appropriate standard for cookie consent for EU member states, including the United Kingdom, that have implemented the Cookie Directive; namely that EU cookies, local storage use and similar technologies require active and explicit consent from the individual in the form of a statement or clear affirmative action. The ECJ’s conclusions also reaffirm the UK Information Commissioner’s Office’s post on Cookie Guidance issued in July 2019 that says,
“the user must take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent”.
Therefore, further to the recent ICO’s recent Cookie Guidance, businesses and website operators are encouraged to undertake a ’cookie audit’; this involves completing a comprehensive review and update of all webpages and cookie policies to ensure that:
 Recital 17 of Directive 2002/58