EU Rules That Consent On Cookies Really Does Mean Consent

It has to rank as one of the most bizarre cases to go in front of the Court of Justice of the European Union (CJEU), but at the end of last week, an announcement was made.

The incredibly obvious point to GDPR, now enshrined in law for nearly a year and a half, was discussed -- and an even more obvious outcome was declared. GDPR bans the use of pre-ticked boxes. Didn't we all already know that?

Now, I don't want to position myself as a legal eagle who knows the ins and outs of every aspect of the complicated language used in GDPR. However, on this point, the law could not really be any clearer.

A central aspect to the new law governing personal data rights is that if a business is asking for consent to process a customer's personally identifiable information, that person has to show their consent through a clear and obvious action. That's not the actual wording, but it sums the law up. 

In other words, and the law really couldn't spell it out any more clearly, a person has to be do something to give their consent. It might be flicking a slider button over to "yes" or ticking a box.

Whatever the mechanism is, it has to come from the consumer. And to add another point, it has to be separate from any other wording, meaning that consent cannot be thrown in with other terms and conditions. It has to be explicit and stand-alone as a box that users can choose to tick or not.

The law has been explicit that the days of opt-out are long gone, and so it is illegal to start off any data-gathering process with a pre-ticked box. Similarly, it is against GDPR to use a form of words that suggests the person is already signed up for cookies and offer a box for them to tick to opt out.

The case came about because the German data privacy watchdog was seeking clarification after it had ruled that a German lottery business needed to ask permission, and receive a mark of consent from users, before it placed cookies on their devices. It actually goes back to 2013, according to Netimperative, and one would have thought GDPR would have made the legal discussion a moot point. 

But there you have it -- the most obvious case ever to be put in front of EU judges has been decided. Instead of six years, any one of us could have given a judgement just by looking up the consent section of the ICO website. 

I am surprised all the time by the amount of websites that get this wrong. I have emailed several household names to point out that they are in breach of GDPR, but have never had a reply. 

It seems so odd that we are still having this discussion a year and a half after GDPR became law and laid out in very simple terms -- with even simpler guidance from the ICO and others -- that opt-out was no longer acceptable and informed, granular, explicit consent is the only game in town. 

It might also cause a chuckle or two in adland that this now emerges as a legal ruling when even Google is about to curtail the power of brands to place cookies on web site visitors' devices.

The law gets settled, just as advertisers prepare to wean themselves off third-party cookies.

The irony will be that consent is now going to be increasingly declined at the browser level, making the legal decision on what happens on individual sites a moot point.

Next story loading loading..