GDPR Cookie banner: Don’t use pre-selected boxes

Pre-ticked consent boxes are a popular tool among website designers looking to maximize the number of people who accept cookies – but they are also one of the most common violations of EU consent rules. This article will delve into the issue of pre-ticked boxes, and explain why they are not a valid method of obtaining consent under the GDPR.

GDPR Cookie banner: Don’t use pre-ticked boxes.

Understanding the Basics of the GDPR

The GDPR, short for General Data Protection Regulation, is a set of guidelines that regulate the use and handling of citizens’ data in the European Union. It replaces an older policy known as the Data Protection Directive, was passed in 2016 and then officially implemented in 2018.

The goal of the GDPR is to standardize the collection of data related to people in the EU. It recognizes consumers’ increased risks when browsing online and imposes rules that prevent organizations from violating their rights to privacy.

The legislation is part of fundamental European law, and while meant to protect EU citizens, applies to any company that handles data from the region. It doesn’t matter whether an organization is officially based in Seoul, California or Hawaii – if they target or collect data from European consumers, they’re subject to the provisions (and penalties) of the GDPR.

A large part of compliance with the GDPR has to do with obtaining individuals’ consent. The regulations don’t outright ban the collection of data; as long as organizations are fulfilling what’s required of them by the EU and obtain users’ permission, data handling can carry on.

How the GDPR Defines Consent

The General Data Protection Regulation is widely regarded as the strictest privacy law in the world. It thoroughly outlines the EU’s stance on the use of personal data, how organizations are expected to handle it, and what criteria must be met in order for consent to be considered lawfully given.

In order to collect citizens’ personal data, the GDPR states that organizations must obtain consent that is:

• Freely given
• Specific
• Informed
• Unambiguous
• Given via affirmative action
• Freely given
• Easy to withdraw

These criteria create what is known as an ‘opt-in framework’, which means that individuals must take specific action (usually ticking a box or clicking a button) to indicate that they consent to their data being collected.

What Are Pre-ticked Boxes, and Why Are They a Problem?

A pre-ticked box is a checkbox that is already selected by default. They are commonly used on websites and apps as a means of obtaining consent from users for the collection of their data. For website administrators, enabling pre-ticked boxes makes it more likely that users will simply click ‘agree’ without reading the terms and conditions, which in turn makes it easier to obtain consent.

While pre-ticked boxes may seem like a small detail, they are actually a big problem when it comes to compliance with the GDPR. This is because they do not meet the requirements for consent that are outlined in the legislation. In order for consent to be considered valid, it must be freely given. A pre-ticked box does not leave room for users to make a choice – it’s automatically ticked, which means that consent is not considered to be voluntary or affirmative.

In addition to being non-compliant with the GDPR, pre-ticked boxes can also create a negative user experience. They are often seen as being manipulative and deceptive, which can damage the relationship between an organization and its consumers.

The Planet49 Case

The Planet49 case is one of the most prominent examples to date of how pre-ticked consent boxes can cause trouble for websites. In 2019, the gambling website faced a legal challenge with regulators over its use of the element, which was included in a marketing consent form on its registration page.

The form, which was presented to users before they could enter the site’s lottery, included a pre-ticked box that would opt users in to the use of cookies from Planet49. This was in addition to an unticked box which users could select if they wanted to opt-into marketing from third parties. The company argued that the box was only ticked by default and could easily be unticked by users, but the Court of Justice of the European Union (CJEU) disagreed.

They found that the form was in breach of the GDPR because it did not obtain valid consent from users. The CJEU states that it would be “near impossible” to be able to tell whether a user had deliberately left the box ticked or not, which meant that consent could not be considered to be freely given.

The Planet49 case also brought forth some additional clarifications of the GDPR that have become incredibly important in years since the final ruling.

These include requirements that:

• Privacy policies inform users of the duration for which cookies will be stored on their devices
• Consent must not be requested for multiple purposes at the same time
• Consent must be obtained through an active behavior that creates a clear picture of users’ wishes

The EDPD Has Spoken: Pre-ticked Boxes Are No Longer Valid

In May 2020, the European Data Protection Board (EDPB) published updated guidance on the use of consent under the GDPR. The guidance is clear on the fact that pre-ticked boxes are not a valid way to obtain consent from individuals.

The EDPB states that consent must be given through a “positive action”, such as ticking a box or clicking a button. This means that consent cannot be bundled with other terms and conditions, and must be separate from them. In addition, the EDPB guidance says that consent must be “unambiguous”, which means that it should be clear to individuals what they are consenting to.

The guidance goes on to say that any consent obtained under the old standard of consent will have to be renewed in order to meet the GDPR’s higher standard. This means that organizations will need to reach out to individuals who have already consented and obtain their consent again, this time using a method that complies with the GDPR.

Getting Proper Consent for Your Use of Cookies

The GDPR is a massive law, one which has proven time and time again to be difficult to navigate. This makes the idea of compliance seem daunting, especially for small businesses and website owners. However, there are some key steps that you can take in order to make sure that your use of cookies is compliant with the GDPR.

Let’s take a look at the top four:

Get rid of any pre-ticked boxes on your website

This is the first and most important step that you need to take in order to comply with the GDPR. As we’ve seen, pre-ticked boxes are no longer a valid way to obtain consent from individuals, and can lead to hefty fines.
If you’re not sure whether your website has any pre-ticked boxes, take a look at your registration and login forms. If there are any checkboxes that are already ticked by default, then you will need to change their settings or remove them altogether.

Read up on the GDPR and current guidance

The GDPR is a complex law, and it can be difficult to keep up with all of the changes that have been made to it since it came into effect. This is why it’s important to make sure that you are always up-to-date on the latest guidance from the EDPB and other privacy regulators.
One way to do this is to follow a privacy-focused news stream, such as the IAPP’s Daily Dashboard. This will provide you with the latest news and updates on all things privacy, including the GDPR.

Make sure that your consent forms are clear and concise

Another important step to take is to make sure that your consent forms are clear and concise. This means that they should only be used for the purpose of obtaining consent, and nothing else.
Your consent forms should be easy to find, and should be written in plain language. They should also state clearly what individuals are consenting to, and should not be bundled with other terms and conditions.

Use a consent management platform

A consent management platform (CMP) is a tool that can be used to manage consent on your website. CMPs will typically provide a banner that will be displayed on your website, and which will allow users to manage their consent preferences.

This is a great way to make sure that you are obtaining valid consent from individuals, as it provides a clear and concise way for them to give their consent. In addition, CMPs will often allow you to export a list of individuals who have consented to the use of cookies, which can be handy if you need to prove compliance in the future.

The GDPR is complicated to say the least. The issue of pre-ticked and unticked boxes are just one part of this law that website owners and small businesses need to be aware of. However, by following the steps outlined in this article, you can be sure that your use of cookies is compliant with the GDPR.