In order to participate in a lottery organised by Planet49, an internet user was confronted with two checkboxes which had to be clicked or unclicked before s/he could hit the ‘participation button’. One of the checkboxes required the user to accept being contacted by a range of firms for promotional offers, another checkbox required the user to consent to cookies being installed on his computer. The issue here was that these tick boxes were pre-ticked.
In its judgement, the ECJ reached confirmed two elements, firstly that pre-ticked boxes cannot be used as valid consent and secondly, when dealing specifically with cookies, consent must be acquired before non-essential cookies are stored on a user’s device.
When dealing with cookies, an important distinction must be made between essential and non-essential cookies. The former are cookies which are essential for a website to function. Non-essential cookies are those which aren’t of great importance such as marketing cookies. Essential cookies do not require the permission of the user, while non-essential cookies require the consent of the user.
These rules have existed for years on end in the EU, and in Malta. However, the GDPR has made acquiring valid consent much more difficult and it is now clear that a pre-ticked checkbox cannot be considered to constitute valid consent. For consent to be considered valid, it must be freely given, specific, informed and unambiguous.
[i] Case C-673/17 - Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände -Verbraucherzentrale Bundesverband e.V.