back to article Pre-checked cookie boxes don't count as valid consent, says adviser to top EU court

Requiring someone to uncheck a pre-ticked box doesn't count as valid cookie consent under EU law, the adviser to the bloc's top court has said. Advocate general Maciej Szpunar's opinions aren't binding but are often followed by the Court of Justice of the European Union (CJEU). This much-anticipated confirmation of the …

  1. Flak
    Flame

    Let's report every case of this to the ICO

    From personal experience it appears that about half of the websites that ask for information require you to uncheck the marketing tick box. This has annoyed me since long before 25 May 2018 where the proportion of cavalier presumed 'enrolment' was far greater.

    Thank you to those organisations who have changed their web forms to require active opt-in.

    Shame on those who haven't - change now or face the legal consequences.

    1. Chris G Silver badge

      Re: Let's report every case of this to the ICO

      Even more annoying are those sites that have a box to untick but whrn you do, they just go back to the previous page. Or, those sites that tell you you can change preferences but provide no links or pages where you can actually do something.

    2. Irongut

      Re: Let's report every case of this to the ICO

      What checkbox?

      Most cookie consent dialogs I see have two buttons - OK and More Info. Neither gives the opportunity to not consent so the whole damn thing is invalid. Google.

      1. Stumpy

        Re: Let's report every case of this to the ICO

        I've found that many of the sites I visit, if you click the 'More info' button it now directs to a panel where I can disable the cookies, along with explanations of what they're used for.

        1. Tigra 07 Silver badge

          Re: Let's report every case of this to the ICO

          There was one I kept seeing in my news feed for an American news site with an "accept" button, or "more info". "More info" did allow you to unsubscribe to tracking cookies, but only if you visited the owner's site for each one individually (provided as a hyperlink) and deregistered. The list was huge! Well over 50 entries!

          I don't read news provided by this site when it pops into my feed

          1. Captain Scarlet Silver badge

            Re: Let's report every case of this to the ICO

            Why not block them from said website, I do if they don't have a rejecty all button (Which I will click if its not made easy for me such as having half a million sliding boxes for all their leeches)

            1. Tigra 07 Silver badge

              Re: Captain Scarlet

              "Why not block them from said website"

              I use noscript and Ublock on my laptop, but on my phone i only have Ublock. I'd rather not give the company any business at all if they want to be like that.

          2. JetSetJim Silver badge

            Re: Let's report every case of this to the ICO

            Pfft - 50 is nothing - try the Dilbert website, 5 categories, each with well over a hundred cookies (albeit with some duplication), each with individual toggles to disable (enabled by default, natch).

            Sometimes I wonder if it's Scott Adams parodying the issue, but then he's a Trump supporter so probably not

            1. jonfr

              Re: Let's report every case of this to the ICO

              I was not aware that Scott Adams was a Trump supporter. Thanks for letting me know about this. I have done the correct thing (best to my ability to do so) and removed his work from anything I used to follow him on (Facebook/GoComics). I also removed the books I was planning on buying that he had made on Amazon.

              I also invalidated everything I had considered worth listening to from him. Because being a Trump supporter is just really (^9) stupid and only stupid people (and evil) support Trump along with stupid nazis.

              1. veti Silver badge

                Re: Let's report every case of this to the ICO

                I've also gone off Adams since his performance in the 2016 election, but I really have to object to the characterisation of Trump supporters.

                If you write off the entirety of the opposing party, and about 40% of the population, as "stupid and/or evil", you have given up on democracy.

          3. Alan Brown Silver badge

            Re: Let's report every case of this to the ICO

            "I don't read news provided by this site when it pops into my feed"

            Cookies like that get auto-deleted....

        2. gnasher729 Silver badge

          Re: Let's report every case of this to the ICO

          Ars Technica provides you with about 30 links to websites of their advertisers, so you can change your settings with each advertiser individually. You cannot believe how much I hate these guys.

          1. Soapy

            Re: Let's report every case of this to the ICO

            I just noticed that this site is one of these sites that do not give you an easy option to turn cookies on/off, but rather refer you to the individual advertiser. I would have hoped for more from The Register

            1. sabroni Silver badge

              Re: Let's report every case of this to the ICO

              I guess there's an assumption that those of us who care run cookie blockers and noscript.

              I wouldn't want to wait for the internet to make it easy for me to turn off tracking.

      2. P. Lee Silver badge

        Re: Let's report every case of this to the ICO

        Why would anyone think that a web-site provider is going to let you bypass all the things they are trying to do with an "I do not consent" option?

        There is only one option: take responsibility for your own browser software and block the trackers and if the site breaks, go somewhere else.

        Noscript is my favourite, but for non-techies, Brave seems to do a good job of Making the Internet Good Again. Mocking All Google's Advertising Attempts?

        1. Cuddles Silver badge

          Re: Let's report every case of this to the ICO

          "Why would anyone think that a web-site provider is going to let you bypass all the things they are trying to do with an "I do not consent" option?"

          Because they're legally required to do so.

      3. macjules Silver badge

        Re: Let's report every case of this to the ICO

        That would be because you have already landed on the site, in over 90% of cases. Therefore the cookie has already been downloaded by your browser. A properly made site will show you a page first which does not set any cookie and then ask you to consent to visit the website.

      4. bombastic bob Silver badge
        Devil

        Re: Let's report every case of this to the ICO

        "OK and More Info"

        like this: https://aqua-teen-hunger-force.fandom.com/wiki/Www.yzzerdd.com

        (from the article's title, I'm glad to see at least SOME common sense in application of the law)

    3. Persona

      Re: Let's report every case of this to the ICO

      I just wish my browser had a setting (and protocol) to allow me to opt out of having to tick boxes to accept cookies, in fact make it a three way selection: accept all cookies, reject all cookies or require the website to ask.

      1. bombastic bob Silver badge
        Devil

        Re: Let's report every case of this to the ICO

        For Firefox, there's a plugin (or was, I'm using version 56 still) of 'cookie white list with buttons' or similar title. In short, you can tell it to accept ALL cookies, as long as the button enables cookies. But only whitelisted cookies are stored on the hard drive. The rest go into 'write only memory' when you disable cookies or close the browser. Dumping all cookies is basically "turn it off, turn it back on again" [except for whilte-listed cookies, of course]. So it doesn't SOLVE the problem, but it sure keeps it under control.

        In fact, if this were a standard browser feature (HINT HINT) to ONLY store non-white-list cookies IN MEMORY, and give users the ability to "dump all" or shut off their acceptance with a button or a menu option, it might actually solve 99% of the cookie tracking problems. In many cases you'd get those irritating "someone logged on to your account" e-mails but so what. The entire point is to eliminate the tracking, and flushing cookies periodically (yes, obvious reference to "the loo") would really screw them up. And what would happen if EVERYODY did it? they'd have to do something ELSE.

        and 'tick boxes' on a permissions page would no longer matter. And, maybe the browser/plugin could prompt you with "do you want to store this cookie permanently" (with the options to block it [black list] or keep it in memory until you flush/exit [normal handling]) so you can see what they're up to and have some additional choice.

    4. TechnicalBen Silver badge
      Facepalm

      Re: Let's report every case of this to the ICO

      "Are you sure Yes/No"

      "Do you want X Yes/No"

      "Do you want Y Yes/No"

      "Do you want to cancel cancelling all of the above and accept? Yes/No/Skip"

      I came across this change Android setup list recently with a new phone. I can accept my usage and management/customisation of Google and Android services (if you know they are tracking, you can possibly amend usage to fit, or if opt out, can at least minimise on what I personally see as a tool and just a phone)... however, I consider changing the old reliable "skip all" to "accept and skip all" as not cheeky, but down right manipulative and predatory! I nearly accepted all the tracking as I'd became use to the previous no double negative trick questions!

    5. Colin Ritman
      Stop

      Re: Let's report every case of this to the ICO

      GDPR and Cooke consent should be worded in a way that states it should take the same number of clicks to consent than it does ti deny. There is no wiggle room on that, and it will fix the websites that have 1 click GDPR consent, and 30+ clicks to deny (newsquest being one of the worst offenders).

  2. David 155

    blocker

    Is there a blocker for these cookie boxes that seem to appear repeatedly on every damn website?

    1. codejunky Silver badge

      Re: blocker

      @David 155

      Unfortunately not. Instead as per dumb down for the moron rules we have to provide informed consent being shown that and then having to click 'I dont care' before you can see what you want to see.

    2. Fonant

      Re: blocker

      "I don't care about cookies" for Chrome.

      No idea if it works or not, but I have it installed.

      1. This post has been deleted by its author

      2. Pseu Donyme

        Re: "I don't care about cookies"

        This also exists for Firefox. Seems to eliminate most (not all, but there seems to be an option to report where it doesn't work presumably so that the developer can see if a rule or somesuch could be added to it make it work).

    3. bombastic bob Silver badge
      Devil

      Re: blocker

      sort of blocker: a plugin (like the 'cookie white list with buttons' plugin for firefox) that allows you to accept all cookies but put non-white-listed ones into memory only, not on disk. Then when you turn off cookie acceptance (and maybe right back on again), or close the browser, they go into the bit bucket.

  3. Anonymous Coward
    Anonymous Coward

    Well the UKs FSA/FCA/PRU was here years ago ...

    certainly in financial services, pre-checked "optional extra" boxes are forbidden and liable to get the miscreant a mis-selling charge.

  4. Anonymous Coward
    Anonymous Coward

    I recently discovered the English Heritage 'Days Out' app (Android) has problem with obtaining consent. I opened it first the 1st time for ages the other day and it didn't just prompt for my location (turned off by default and only turned on when I NEED to find out where I am), it prompted for me to change my settings to turn on location services and got locked in a loop and refused to continue when I selected 'no' (I subsequently discovered, as others have, selecting 'yes' doesn't work either)

    1. Anonymous Coward
      Anonymous Coward

      That's CD/CI and TDD for you... No actual testing.

  5. LenG

    Not quite the same issue

    ... but I am finding more and more sites which tell me I cannot proceed because I have disallowed third party cookies.

    1. Pseu Donyme

      Re: Not quite the same issue

      A variation of this I have seen lately with embedded Twitter content is getting a message complaining about disabled 3rd party cookies instead of the tweet. This sort of thing seems like a violation of GDPR as consent is not considered freely given if made a condition for providing a service (GDPR Article 7(4)).

    2. Pascal Monett Silver badge

      Re: Not quite the same issue

      It is exactly the same issue - they are forcing you to accept cookies to use their site. That is violation of consent.

    3. veti Silver badge

      Re: Not quite the same issue

      Five little words: "Clear private data on exit". The site can't tell the difference between a session cookie and one saved to storage, so exploit that. Let them plant whatever they like on me, it'll be gone the minute I close the browser.

  6. LateAgain

    I've seen some Damned good defaults

    Many, good, sites default to allowing cookies they need and not the advertising ones.

    Others will, if you look, list pages of associated companies and you have to de-select them one at a time.

    Which site would you go back to?

    1. Barrie Shepherd

      Re: I've seen some Damned good defaults

      "Others will, if you look, list pages of associated companies and you have to de-select them one at a time."

      Worse are those that list 40 odd other associated sites but you have to visit each of those sites to stop their cookies. Or they just push you to the generic Google 'disable cookies help pages.

    2. Anonymous Coward Silver badge
      Stop

      Re: I've seen some Damned good defaults

      But how many of those needed (aka functional) cookies are really "we need this so that our advertisers can track you and give us money"? I've certainly seen a few sites that claim that they cannot function without google cookies enabled.

    3. hoola

      Re: I've seen some Damned good defaults

      Yes, and the best of these on how not to do defaults is Reach PLC. This outfit owns a huge number of local papers (this is how I fell foul of them) but are the Daily Mail group.

      As soon as you hit the website you get the privacy notification. From there you can accept hundreds (I estimate around 800) of third party cookies all preselected or have to individually deselect every one. In reality it you wish to visit any of their websites, the only option is to accept all.

      I have already opened a case with the ICO but you have to start with Reach, They have just ignored the contact (as you would expect). All we can hope is that enough people also raise it with the ICO. Then they may just get wacked with a fine and have to fix it. The pain is every single website has to be reported separately.

      Generally German websites are the best with all defaults being off.

      1. Alan Brown Silver badge

        Re: I've seen some Damned good defaults

        "All we can hope is that enough people also raise it with the ICO. "

        Or educate ICO staff to use the blockers and then have then go to these sites themselves.

  7. Marco van Beek
    Boffin

    Tracking already done by the time the popup is displayed

    Cookies aren’t really the problem these days. It is the plethora of code included from third party sites including, but not limited to, Facebook icons, Google analytics and javascript / css libraries. All of these sites can, and do, track me without any consent being asked of me, let alone agreed. While they may claim to not be able to track me ‘personally’, we all know that eventually the dots form a large enough picture for me to be uniquely identified, and they do not need to know my name for this to fall under the GDPR, just the fact that I am unique.

    1. Pascal Monett Silver badge

      Not if you use NoScript. With NoScript, only the code you allow runs and by default it allows nothing.

      Of course, these days that means that lots of sites are broken out of the box, but you can decide which code you want to let run and see if it gets better. If it doesn't and don't have a real need, just leave.

      I guarantee you that neither FaceBook nor Google nor Twitter are tracking me.

    2. brym

      Re: Tracking already done by the time the popup is displayed

      It's bs tactics for ad / PII revenue. Nothing else. I make all my sites not load ads, cookies, etc, unless visitors consent -- by default. It's not difficult. And guess what? Content is still perfectly readable! That's right, cookies are absolutely not needed to display the text or images of the page you want to visit. Fancy that! As for 3rd party JS / CSS, I don't use them. I write my own.

      It's not even slightly difficult to do the right and decent thing for visitors. There should be no excusing it. At all.

    3. Alan Brown Silver badge

      Re: Tracking already done by the time the popup is displayed

      "It is the plethora of code included from third party sites including, but not limited to, Facebook icons, Google analytics and javascript / css libraries."

      Yup, there's been a screaming match at $orkplace about this (particularly relating to google analytics). You'd think people don't know how to run website analysis scripts anymore.

  8. Reg T.

    If someone slips Juncker a bottle of vodka (or two)

    all will be well. He is the norm for the EU, is he not?

  9. Tommy Pock

    Everyone who needs to deal with the GDPR knows that explicit consent has to be given, and pre-checked tick-boxes do not comply and have never complied with the GDPR. I can't quite believe we're still having to deal with this

    1. Anonymous Coward
      Anonymous Coward

      (Ironically, I just registered to the reg and I had to fill out a google recaptcha, I never consented to that or was told I'd have to interact with Google)

      Thing is, GDPR means nothing until it has actually been used to fine a company for not complying. It's also "illegal" to download the latest Game of Thrones, but every year it's the most pirated TV show, just the same as the GDPR is supposed to be "opt in" consent, but most of the time, the options are pre-selected and you have to uncheck sometimes dozens of boxes only for it to be stored in a cookie/local/session storage (ironically enough) where your choices are "forgotten" (how convenient) and are not shared across devices (because that could be bad).

      So they make it as hard as possible so you'll just give in and click that "I agree" button.

      This will keep happening until each and every instance is both publicly documented and fined, maybe a database of companies that violated the GDPR and how much they were fined is in order.

      Until then, the GDPR is more fairy tale wishful thinking than an actual law.

  10. Conundrum1885

    GDPR

    I heard that if Brexit goes wrong, people's EU originating content on iTunes and Google Play may no longer be available in the UK and even be remotely removed from devices after this date.

    1. Joe W

      Re: GDPR

      Couldn't that happen any time? I seem to recall something with the Kindle... or somesuch thingy.

  11. Anonymous Coward
    Anonymous Coward

    What's this at the bottom of the screen with what seems to be just an "ok" ?

    I think it needs to be clearer on an android tablet. I see now one can go to a page of waffle then on to umpteen other places to try to stop the spying. That can't be right either.

  12. Anonymous Coward
    Anonymous Coward

    I prefer biscuits

    I'm not American.

  13. 0laf Silver badge
    WTF?

    I thought this was all settled. Consent must be freely given, informed and as easy to remove as to give. Assumed consent was out.

    I'm confused as to why is this even having to go to court?

    1. Alistair Silver badge

      @0laf:

      Advertising is Big Business on the Interwebs. Free Market Rules are required for Big Business. Laws are just Suggestions to Big Business. You expected *anything* else when there is 50 to 70 billion dollars a year at stake?

      1. Alan Brown Silver badge

        "Advertising is Big Business on the Interwebs. Free Market Rules are required for Big Business. Laws are just Suggestions to Big Business."

        There's a _very_ easy way of dealing with this.

        _All_ advertising is for _something_. _All_ advertising is done on behalf of a hirer.

        Make the hirer _jointly and severally liable_ for the violations - watch how fast the illegal activities dry up even if the Big Business thinks "they're only suggestions"

        Example: USA - Telephone Consumer Protection Act 1998 ("The Junk Fax Law") - pretty much stopped the flood tide of junk faxes overnight and caused people like Sanford Wallace to move into email spam instead. Only criminal groups like fax.,com were left in operation and the only legitimate companies who hired them were mom-and-pop outfits who'd been conned into believing it was legal - something they were _very_ quickly disabused of.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019