Web sites have a problem after top EU court rules that pre-ticked checkboxes for tracking cookies aren’t valid for consent

Posted on Oct 4, 2019 by Glyn Moody
Share Tweet

Last week we wrote about two important judgments from the EU’s top court – the Court of Justice of the European Union (CJEU). It has just released another long-awaited ruling that is likely to have an even bigger impact on privacy and the Internet. It involves the use of pre-ticked checkboxes for allowing cookies. It’s an approach used extremely widely to track users as they move around the Internet. The underlying idea is presumably that pre-ticking boxes is acceptable, because people still have the option to untick boxes. Unfortunately for the online advertising industry, the CJEU begs to differ:

In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.

That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

The problem, according to the court, is that with pre-ticked boxes the user is not actively giving consent to the use of cookies. People are often simply agreeing to get rid of the annoying pop-up, which therefore does not constitute meaningful consent. That might seem like quibbling – doubtless the advertising industry will take this view – but it’s a distinction that is now the law in the region. The CJEU is Europe’s highest court, and it is not possible to appeal against its decisions. That means that Web sites in the EU will have problems under the GDPR if they continue to use this approach. Potentially, they could face serious fines. However, it will not be enough to switch from opt-out to opt-in because the CJEU’s judgment imposes additional new requirements on Web sites in the EU:

Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

This ruling was widely expected by experts in EU privacy law. It seems to have been a relatively simple one for the court – even the press release is unusually short. But the knock on effects will be considerable.

Redesigning Web sites to comply with the latest ruling will not be an easy matter. Visitors must be given information about how each cookie will be used by third parties. Some sites routinely employ many tracking cookies, used for multiple purposes. Presenting that information is going to be very hard. The optimal outcome would be for sites to cut the number of cookies they use. What will probably happen is that visitors will be presented with Web pages full of incomprehensible detail. In effect, these will become new terms and conditions that nobody bothers reading. That, in its turn, may lead to further legal challenges, perhaps ending up before the CJEU again.

Although this judgment clarifies that pre-ticked boxes cannot be used to assume consent to tracking cookies, it does not answer the question whether a site is permitted to refuse access if the cookies are not accepted. This is a crucial issue, since the use of these “cookie walls” is an effective way to force visitors to accept more or less any kind of tracking, and it seriously undermines privacy. As the full ruling explains, the CJEU was not asked to consider that specific question by the German court that sought its view on the use of pre-ticked boxes, and so did not address it. In addition, there is a separate case asking for a clarification on just this point, so the CJEU will anyway be ruling on the legality or otherwise of cookie walls. As with the current judgment, it is widely expected that the CJEU will find that the practice of withholding access unless people accept tracking cookies is unacceptable.

Another aspect of cookies that is not touched upon in the latest CJEU ruling is real-time bidding. This sees personal data of visitors to a Web site sent out to multiple potential advertisers, with no way of controlling what is sent to who. As Privacy News Online reported earlier this year, real-time bidding is the subject of numerous formal complaints across the EU.

Finally, it is worth noting the impact of this ruling on a major EU privacy law that is still grinding its way through the legislative process. The ePrivacy regulation has been stuck for almost a year now, largely because of fierce industry lobbying against it. However, a new European Commission will start work soon, and that is likely to give a new impetus to the proposed law. The latest CJEU ruling is important because it will feed into discussions about what the ePrivacy regulation can and should do. It is a crucial affirmation and strengthening of the privacy rights of users in the EU. As with the GDPR, its effects are likely to be felt far beyond that region.

Featured image by Sandra Pape.

About Glyn Moody

Glyn Moody is a freelance journalist who writes and speaks about privacy, surveillance, digital rights, open source, copyright, patents and general policy issues involving digital technology. He started covering the business use of the Internet in 1994, and wrote the first mainstream feature about Linux, which appeared in Wired in August 1997. His book, "Rebel Code," is the first and only detailed history of the rise of open source, while his subsequent work, "The Digital Code of Life," explores bioinformatics - the intersection of computing with genomics.

VPN Service

Leave a Reply