Europe’s highest court, the CJEU, has ruled that pre-checked cookie consent boxes do not provide the necessary legal consent needed for websites — TechCrunch reports.
Basically, when you open a new website, you need to manually opt in for non-essential cookies. If you don’t, the website doesn’t have any legal right to process your non-essential data. So if you see a pop-up saying you’ve received a cookie, with a pointless ‘ok’ button, then that website is breaking the law.
This ruling will undeniablycause headaches for a lot of businesses, as the cookies in question are often used for targeted advertising and other fundamental operations. But privacy advocates should rejoice as it could influence the upcoming ePrivacy reform.
In addition to active opt-in, cookie consent cannot be bundled with other purposes, and websites must provide specific information on tracking. This additional information is interesting as it’s likely to include who the data will be shared with and how long the cookie will operate.
Web identifiers (like cookies) require active user consent. Pre-ticked consent boxes are invalid. #GDPR #ePrivacy https://t.co/gRk4vZEW7Y pic.twitter.com/Zyjicbn70f
— Lukasz Olejnik (@lukOlejnik) October 1, 2019
But what’s the big deal?
The reason for this strict measure is that under GDPR, consent cannot be implied or assumed. Consent has to be given prior to storing or accessing non-essential cookies, which pre-checked cookie consent boxes cannot do.
Privacy advocators dislike cookies mainly due to third-party cookies (the linked site has now an illegal cookie consent form btw) which gives information to websites other than the ones you’re currently surfing.
While not all third-party cookies malicious (many firms use them for analytical purposes), they can allow companies you’ve never even heard of to track your browsing history across the web and target you with their message — even if you don’t click a single ad.
at here refreshing Curia press release page & noticed their own non-compliant #cookie notice – spot the irony on their cookie information page – looks like the Court are about to render their own site illegal wrt to pre-ticked boxes… a little embarrassing… #privacy #planet49 pic.twitter.com/ewdEqQqrvb
— Alexander Hanff (@alexanderhanff) October 1, 2019
Will this new ruling change anything?
I’m personally big on privacy, but it’s going to hard to know whether this new ruling will have much of an effect on our online behavior.
When GDPR first came into effect, I diligently opted out of everything that even remotely went beyond the basic cookies needed to run the site — except for companies that I trusted. But after facing the 300,000th cookie consent pop-up, my resolve started to fade and I gave in on my principles.
A lot of sites made it basically impossible to opt out, while others required sorting through a long list of random companies to uncheck them — and let’s be honest, nobody’s got time for that.
Today’s ruling, however, tries to clarify rules around does is clarify cookie consent to stop users from being basically forced into it. It is therefore likely that people in the EU will start to notice some changes when visiting websites.
For example TNW — this beautiful website you’re reading — offers you to either accept all cookies or go into privacy setting to manage them manually. Based on the new ruling, it’s likely that consent forms like these would need to add a ‘Refuse All’ button to comply.
That would undeniably make it easier for most users to opt out of cookies on every single site they’d visit… *cue cold sweats for every website with EU traffic*
So keep an eye out to see if your browsing experience changes in the EU, which could also be set for further change with the EU’s upcoming ePrivacy overhaul
Get the TNW newsletter
Get the most important tech news in your inbox each week.