Pre-ticked consent boxes are a popular tool among website designers looking to maximize the number of people who accept cookies – but they are also one of the most common violations of EU consent rules. This article will delve into the issue of pre-ticked boxes, and explain why they are not a valid method of obtaining consent under the GDPR.
GDPR Cookie banner: Don’t use pre-ticked boxes.
Understanding the Basics of the GDPR
The GDPR, short for General Data Protection Regulation, is a set of guidelines that regulate the use and handling of citizens’ data in the European Union. It replaces an older policy known as the Data Protection Directive, was passed in 2016 and then officially implemented in 2018.
The goal of the GDPR is to standardize the collection of data related to people in the EU. It recognizes consumers’ increased risks when browsing online and imposes rules that prevent organizations from violating their rights to privacy.
The legislation is part of fundamental European law, and while meant to protect EU citizens, applies to any company that handles data from the region. It doesn’t matter whether an organization is officially based in Seoul, California or Hawaii – if they target or collect data from European consumers, they’re subject to the provisions (and penalties) of the GDPR.
A large part of compliance with the GDPR has to do with obtaining individuals’ consent. The regulations don’t outright ban the collection of data; as long as organizations are fulfilling what’s required of them by the EU and obtain users’ permission, data handling can carry on.
How the GDPR Defines Consent
The General Data Protection Regulation is widely regarded as the strictest privacy law in the world. It thoroughly outlines the EU’s stance on the use of personal data, how organizations are expected to handle it, and what criteria must be met in order for consent to be considered lawfully given.
In order to collect citizens’ personal data, the GDPR states that organizations must obtain consent that is:
- Freely given
- Given via affirmative action
- Freely given
- Easy to withdraw
These criteria create what is known as an ‘opt-in framework’, which means that individuals must take specific action (usually ticking a box or clicking a button) to indicate that they consent to their data being collected.
What Are Pre-ticked Boxes, and Why Are They a Problem?
A pre-ticked box is a checkbox that is already selected by default. They are commonly used on websites and apps as a means of obtaining consent from users for the collection of their data. For website administrators, enabling pre-ticked boxes makes it more likely that users will simply click ‘agree’ without reading the terms and conditions, which in turn makes it easier to obtain consent.
While pre-ticked boxes may seem like a small detail, they are actually a big problem when it comes to compliance with the GDPR. This is because they do not meet the requirements for consent that are outlined in the legislation. In order for consent to be considered valid, it must be freely given. A pre-ticked box does not leave room for users to make a choice – it’s automatically ticked, which means that consent is not considered to be voluntary or affirmative.
In addition to being non-compliant with the GDPR, pre-ticked boxes can also create a negative user experience. They are often seen as being manipulative and deceptive, which can damage the relationship between an organization and its consumers.
The Planet49 Case
The Planet49 case is one of the most prominent examples to date of how pre-ticked consent boxes can cause trouble for websites. In 2019, the gambling website faced a legal challenge with regulators over its use of the element, which was included in a marketing consent form on its registration page.
They found that the form was in breach of the GDPR because it did not obtain valid consent from users. The CJEU states that it would be “near impossible” to be able to tell whether a user had deliberately left the box ticked or not, which meant that consent could not be considered to be freely given.
The Planet49 case also brought forth some additional clarifications of the GDPR that have become incredibly important in years since the final ruling.
These include requirements that:
- Privacy policies inform users of the duration for which cookies will be stored on their devices
- Consent must not be requested for multiple purposes at the same time
- Consent must be obtained through an active behavior that creates a clear picture of users’ wishes
The EDPD Has Spoken: Pre-ticked Boxes Are No Longer Valid
In May 2020, the European Data Protection Board (EDPB) published updated guidance on the use of consent under the GDPR. The guidance is clear on the fact that pre-ticked boxes are not a valid way to obtain consent from individuals.
The EDPB states that consent must be given through a “positive action”, such as ticking a box or clicking a button. This means that consent cannot be bundled with other terms and conditions, and must be separate from them. In addition, the EDPB guidance says that consent must be “unambiguous”, which means that it should be clear to individuals what they are consenting to.
The guidance goes on to say that any consent obtained under the old standard of consent will have to be renewed in order to meet the GDPR’s higher standard. This means that organizations will need to reach out to individuals who have already consented and obtain their consent again, this time using a method that complies with the GDPR.
Let’s take a look at the top four:
Get rid of any pre-ticked boxes on your website
This is the first and most important step that you need to take in order to comply with the GDPR. As we’ve seen, pre-ticked boxes are no longer a valid way to obtain consent from individuals, and can lead to hefty fines.
If you’re not sure whether your website has any pre-ticked boxes, take a look at your registration and login forms. If there are any checkboxes that are already ticked by default, then you will need to change their settings or remove them altogether.
Read up on the GDPR and current guidance
The GDPR is a complex law, and it can be difficult to keep up with all of the changes that have been made to it since it came into effect. This is why it’s important to make sure that you are always up-to-date on the latest guidance from the EDPB and other privacy regulators.
One way to do this is to follow a privacy-focused news stream, such as the IAPP’s Daily Dashboard. This will provide you with the latest news and updates on all things privacy, including the GDPR.
Make sure that your consent forms are clear and concise
Another important step to take is to make sure that your consent forms are clear and concise. This means that they should only be used for the purpose of obtaining consent, and nothing else.
Your consent forms should be easy to find, and should be written in plain language. They should also state clearly what individuals are consenting to, and should not be bundled with other terms and conditions.
Use a consent management platform
A consent management platform (CMP) is a tool that can be used to manage consent on your website. CMPs will typically provide a banner that will be displayed on your website, and which will allow users to manage their consent preferences.