Cookies might be defined as web set of text files by applications and website’s servers to archive and collect long-term information about users. Consent for such processing activity must be clear and transparent. Moreover, cookie consent shall not be based on pre-ticked boxes.

The CJEU (Sentence No. C673/17) has confirmed that consent for storing and accessing information shall not be based on users’ silence and inactivity or pre-ticked boxes implemented within the application or website. Moreover, the European Court has stated that service provider should inform users about cookies activity period once installed within the device.

THE ISSUE

The controversy arose in relation to a lottery website. Users, in order to participate, had to insert their names and email addresses within a landing page where cookies boxes were pre-ticked. Then, according to the German Federal Court, legitimacy of such practice was doubtful. In such context, the dominant issue is the interpretation of “consent” under recent General Data Protection Regulation.

Commercial cookies are text files able to track users’ habits and information which are downloaded within user’ device. Such profiling cookies are precious for businesses due to their capacity to tailor advertisements messages on users’ commercial preferences. Due to inner intrusive nature of these cookies, GDPR requires users must be adequately informed about their use, operation and period of activity.

THE DECISION

According to the interpretation of consent, “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action”. Under these circumstances, consent given through pre-ticked boxes denies the previous “affirmative action” confirming that active consent is the only lawful possible consent.