No Pre-Ticked Checkboxes for Cookie Consent
Pre-ticked checkboxes were a staple of consent mechanisms for data like cookies and marketing, at least until 2018. On the surface, they looked easy. The user didn't have to click anything and you got consent almost 100% of the time.
When the General Data Protection Regulation (GDPR) arrived on May 31, 2018, things changed because it ushered in a new understanding of consent in the realm of data processing and privacy. The same consent applies to cookies, particularly non-functional and performance cookies used for marketing and identification.
Going forward, you may no longer use pre-ticked checkboxes to accept consent. And if you previously relied on it as a form of consent, you need to seek consent again ASAP.
Let's dive into the why and how to correctly use checkboxes for cookie consent.
The GDPR Conditions for Consent
One of the big milestones of the GDPR is the way it changed, or more solidified, the meaning of consent.
For decades now, tech companies have played fast and loose with the issue of data collection and consent. From cookies to data mining, corporate attorneys made the case that if a user wanted access to a site or service, then they provide implicit consent to the site to collect and use data as the site sees fit. It's a give-and-take relationship. Old examples of this continued to exist in corporate Privacy Policies until relatively recently.
The fallout caused by this type of attitude towards data collection and even data mining is still happening today. In July, 2019, the U.S. government ordered Facebook to pay $5 billion in fines over privacy issues. It's also far from the first or last related fine that Facebook will pay both at home and to regulators and governments around the world.
The change in the definition in consent is a reaction to the flagrant abuse of data and it comes up early in the GDPR in Article 4(11), which says:
"Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
There are two important takeaways from this:
- Consent needs to be freely given, informed, and specific
- Consent requires an affirmative action
Here, you can see that the spirit of the way privacy and consent changed dramatically. Freely given means there's a choice involved. You can't force consent or assume it. If someone wants to use your site but doesn't want to sign up for marketing, then you can't kick them off your site in retaliation.
What's more, the affirmative action establishes that the consent is freely given, informed and specific.
To that end, Article 7 Conditions for consent outlines four points:
- Data controllers must be able to demonstrate that data subjects provided consent
- Data controllers must present their request for consent in a way that's distinguishable from other matters
- Data subjects can withdraw their consent at anytime - It must be as easy to withdraw consent as it is to give it
- Data controllers can't withhold services in exchange for consent to process data
In other words, you can't bury your consent mechanisms in legalese or with a bunch of other checkboxes.
You also need to keep records of each person who consents. If you have data from a data subject but you don't have a record of their consent, then you don't have an agreement.
And you can't kick someone off your site if they decline to allow cookies or consent to processing.
Do Cookies Fall Under the Purview of the GDPR?
The new consent rules apply to personal information like email addresses, names, and other data. That much was largely established when the GDPR became enforceable in 2018. What about cookies? Do they count?
Cookies come up only once in the text of the GDPR. However, Recital 30 states that:
"Natural persons may be associated with online identifiers [...] such as internet protocol addresses, cookie identifiers or other identifiers [...]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
In other words, a cookie identifier on its own may not count, but if you collect cookies plus other data, then the cookie becomes identifying. So, it becomes personal data as defined by the GDPR.
Recital 26 also says that any data that directly or indirectly identifies an individual is personal data under the GDPR.
The Courts Say Pre-Ticked Checkboxes are Gone
The GDPR isn't the only law to tackle the question of consent.
An older law, the ePrivacy Directive, predates the GDPR and it allowed pre-ticked checkboxes as long as it was in a consent mechanism. However, that part of the law was challenged in a case that involved a lottery website in Germany called Planet49 GmbH.
The German court asked the Court of Justice of the European Union to rule on a case that asked whether putting any cookies at all on someone's computer is an invasion of their privacy.
In 2019, the European court responded by making several points.
First, the court said that all sites need consent before issuing any non-essential cookies (for marketing, etc.). Implied and assumed consent don't count.
Second, it ruled that a pre-ticked checkbox isn't a valid form of consent. The site can't prove that the user provided intentional consent because it never gave the user the option to tick the box.
These rulings by the court mean that they apply to you if you fall under the umbrella of the GDPR, which means you:
- Are a data controller in an EU member state
- Collect data from residents of an EU member state
- Process data in an EU member state
How to Create GDPR Compliant Opt-In Forms for Cookies
If you collect cookies, then you need some form of cookies consent mechanism.
You can do this in two ways.
First, you can collect consent for cookies only. If you only ask for cookie consent, then you can use a myriad of options, including a yes or accept button.
When you click Accept and Close, you engage in an affirmative and recordable action that says you agree to receive cookies from the site.
Checkboxes allow the user to provide 'specific' consent as dictated by the GDPR's Article 4(11) and they meet Article 7's demand that you make consent distinguishable from other matters.
Make it Easy to Withdraw Consent
Those covering the GDPR and the European court case have focused heavily on the issues of 'opting in' and providing consent. However, it's also important to remember that the GDPR says it must be as easy to withdraw consent as it is to give it.
The BBC provides a helpful example of how to achieve this.
When you land on the BBC site for the first time, the site delivers a banner that asks you to agree to cookies. If you don't agree, the site redirects you to the cookie settings page where you can opt out and adjust settings:
Because it only takes one click to agree to cookie placement, it should only take one click to withdraw consent.
The BBC uses a toggle mechanism to allow you to turn necessary, function, and performance cookies on and off with a single click for each type of data:
The cookie settings should also be easy to find. Your users shouldn't need to dig through five pages to get there.
Adding it to the pop-up consent mechanism used by the BBC is a helpful way to do this, but you can go further and make it truly accessible.
German fin-tech startup N26 does this well. It includes a clearly-labeled link to its 'Update cookie settings' page in the footer so you can find it wherever you are on the site:
The changed and formalized definition of consent means that you can no longer rely on implied consent for cookies or any other type of data.
Consent for cookies and any other personal data under the GDPR needs to be:
- Clearly defined
- Freely given
So, if you use a checkbox to receive consent for cookies, make sure the box is unchecked and be sure to build a mechanism that makes it simple for data subjects to withdraw consent at any time.