Regulations require consent to be obtained through some active behaviour on the part of the user, which led the CJEU to rule that a pre-ticked box does not constitute legitimate consent. The advocate general of the court stated clearly that:
“Requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. […] By contrast, requiring a user to tick a box makes such an assertion far more probable.”
This decision reflects Recital 32 of the GDPR, which lists, “ticking a box when visiting an internet website”, as an example of how valid consent can be obtained from a user.
The court also ruled that consent requirements apply to the processing and storage of all information, not just an individual’s personal data; and that users must be provided with information regarding cookie duration and access by third parties.
However, it did not clarify its position on so-called “cookie walls”. Conditional entrance to websites based on the acceptance of cookies remains a divisive subject in Europe. Data protection authorities in France, Germany, and the Netherlands believe that cookie walls contravene GDPR legislation, and therefore that they should not be allowed. The UK’s Information Commissioner’s Office (ICO) on the other hand, remains “sitting on the fence”.
The post #Privacy: CJEU issues new ruling regarding cookie consent requirements appeared first on PrivSec Report.