European Union: CJEU Advocate General Opinion: A "Pre-Checked Checkbox" Is Not Valid Consent To Cookies Under The GDPR

On 21 March 2019, Advocate General (AG) Maciej Szpunar delivered his opinion on a number of questions which, inter alia, relate to the validity of consent to cookies “by way of a pre-checked checkbox" (Case C 673/17). While the questions referred to the Court of Justice of the European Union (CJEU) primarily related to provisions of the Privacy and Electronic Communications Directive (2002/58/EG), the AG stated that the principles established in his opinion were equally valid for the EU General Data Protection Regulation (GDPR).

Free and Informed Consent

The AG stressed that for consent to be 'freely given' and 'informed' (as required, inter alia, under Art. 4, No. 11 of the GDPR), "it must not only be active, but also separate."

First, there was no active consent "where the storage of information, or access to information" was "permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent." Second, the requirement of separate consent implied that an activity a user pursues on the Internet (e.g., reading a webpage) and the giving of consent do not "form part of the same act." In particular, from the perspective of the user, the giving of consent should "not appear to be of an ancillary nature" to the users' Internet activities. The giving of consent should "optically in particular, be presented on an equal footing" with other actions such as (as in the case before the referring court) hitting a 'participation button.'

Information Duties with Regard to Cookies

The AG also addressed information duties under the GDPR (e.g., Articles 13 and 14), which he considers to be linked to consent "in that there must always be information before there can be consent." The AG stressed that "due to the technical complexity of cookies," there was an "asymmetrical information" between the website provider and an average Internet user about the operation of cookies. Thus, "clear and comprehensive information" required that a user was able to "comprehend the functioning of the cookies actually resorted to." The required information should, in particular, include "the duration of the operation of the cookies and [...] whether third parties are given access to the cookies or not."

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.