Pre-ticked Consent is No Consent at All: CJEU Issues Ruling on “Active Consent”
On October 1, 2019, the Court of Justice of the European Union (the “CJEU”) issued a ruling on the meaning of consent in the EU data privacy regime. The CJEU was faced with a specific question having wide-reaching implications: does a web user who does not un-tick a pre-ticked checkbox provide informed and freely given consent? The CJEU answered the question with a strong “no.” At least as to Directive 2002/58/EC (the “ePrivacy Directive”) and the General Data Protection Regulation 2016/679 (the “GDPR”), consent by way of a pre-ticked checkbox which the user must deselect to refuse is not a valid form of consent. Although this decision provides some clarity regarding consent, questions remain.
The dispute leading to the CJEU’s ruling involved online gaming company, Planet49 GmbH. In 2013, Planet49 established an online lottery that required users to provide personal information to enter the lottery. Planet49’s site then presented users with two checkboxes—one deselected checkbox requesting consent to contact the user regarding promotional offers and a second pre-ticked checkbox requesting consent to install cookies on the user’s device. Participation in the online lottery only required selection of the first checkbox. Despite the clear option to deselect the pre-ticked checkbox, the CJEU questioned whether a pre-ticked checkbox constituted a valid form of consent for storing information and for storing cookies on a user’s terminal.
Active consent is valid consent.
On the question of quality of consent, the CJEU stated that valid consent must be “given” by users, and “given” is to be interpreted literally. After considering portions of the ePrivacy Directive, the GDPR, and other legislation, the CJEU concluded that some “indication,” affirmative, rather than passive, was required to indicate user consent. Even more, the CJEU opined that “active consent” is now “expressly laid down” in the GDPR. The CJEU stated that the GDPR and its recitals “expressly preclude silence, pre-ticked boxes or inactivity from constituting consent.” According to the CJEU’s broad interpretation, this understanding of active consent holds even outside of the GDPR.
Throughout its opinion, the CJEU acknowledged unanswered questions. Notably, the CJEU declined to answer the question of the validity of “cookie walls,” that is, requiring consent to the processing of data as a prerequisite to webpage participation. This unanswered question is an important one given the CJEU’s statements regarding choice in consent. The CJEU noted that the GDPR’s “personal data” definition has no import on the consent requirement at least as it applies to Article 5(3) of the ePrivacy Directive. Article 5(3)’s consent requirements apply to processing and storage of all user data, personal or otherwise.
Additionally, the facts of the dispute involved the concept of bundled consent—using a single request process to gain consent to a variety of collections or uses of personal data. The CJEU, however, declined to take a stance on the validity of bundled consent.
What does this mean for you?
The CJEU’s opinion provides needed guidance on EU privacy laws that have often been seen as broad and ambiguous. Companies operating in the EU or targeting EU customers should perform a thorough review of their consent mechanisms to confirm that they meet the requirement of consent espoused by the CJEU in this opinion. Although the CJEU declined to fully-address “cookie consent,” companies should also take a second look at how they are providing options to website visitors in their cookie notices and banners.
Vinson and Elkins tracks developments in the global data privacy regime and educates and assists covered businesses in taking actions to mitigate risk.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.