Sunday, 23 January 2022

Consent and Cookies in EU Data Privacy Law— Two Clicks are Too Many




Dr Asress Adimi Gikay (PhD, SJD, LLM), Lecturer in AI, Disruptive Innovation, Law Brunel Law School (Brunel University London); Twitter: @DrAsressGikay


Consent and Data Protection in the European Union

European Union data protection law is based on the conception that data protection is a fundamental right, something the General Data Protection Regulation (GDPR) upholds. Thus, personal data processing requires complying with stringent legal requirements. The GDPR prescribes that consent be specific, informed, unambiguous and given freely, requiring affirmative action by the individual. Over the years, companies have circumvented the consent requirement by resorting to various tactics.

In December 2021, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (CNIL), imposed sanctions on Facebook (€60 million) and Google (€150 million) for illegal use of cookies—against the consent requirement. If Facebook and Google do not comply with the decisions in three months from the decision date, they would be paying 100,000 Euros for each day of non-compliance. The decision being made under the ePrivacy Directive is not subject to the GDPR's one-stop-shop cooperation mechanism, so the French decisions bind the companies concerned only in France and would probably (if at all) affect cookies practice in other industries in France only. Nevertheless, websites across the EU and UK are non-compliant with the consent requirement in their use of cookies.

First Rule of Cookies— Consent— has Always Been Tricky

Despite data protection law aiming to give individuals control over their personal information through consent, researchers have argued that several challenges weaken the individuals’ informational control. Due to the sophistication of privacy policies and the complex systems of data collection coupled with the individuals’ limited cognitive ability to process information, they lack sufficient informational control. In many cases, data collection consent forms or privacy policies are adhesion contracts where the data subjects(individuals) have no power to bargain. This is notwithstanding the fact that consent forms should be decoupled from the provision of goods and services and not be imposed on the individual. Even if privacy agreements were to be negotiable,  individuals do not have the time to adequately scrutinize them due to information overload coupled with challenges in understanding technical jargon.

In a 2020 Eurobarometer survey conducted in EU Member states, 37% of the participants responded that they do not read online privacy policies while 47% and 13% read them partially and fully, respectively. Those who read privacy policies partially or do not read them at all indicated that privacy policies are too long (66%) or unclear and difficult to understand (31%). Some responded that it is sufficient for them to know that the entity they deal with has a privacy policy (17%). While some believed that they would be protected by law anyway (15%), others believed that websites would not honour privacy terms (10%). The survey highlights that only a small minority of individuals interacting over the internet read and scrutinize privacy policies. The majority are not adequately protected by the consent requirement even without the added challenge of cookies technology.

Second Rule of Cookies—No Preselected Tick Boxes

As data collection in a traditional setting where the individual supplies the information and consents to its processing is being more tightly regulated, companies have been operating with more efficient data collection and analysis method—deploying cookies. Cookies are small text files that websites place on the user’s devices(terminal equipment) as the user browses to allow the website to recognize the user's device and collect information about the user's browsing behaviour. While cookies serve multiple purposes, including the proper functioning of websites, they notably analyze the user's browsing behaviour for providing personalized advertisement(marketing cookies). As cookies can collect personal data, their use should comply with personal data protection law—the ePrivacy Directive & GDPR.

Although the primary law governing cookies is the ePrivacy Directive, the consent requirement under that Directive is governed by the GDPR. Despite the requirements of the ePrivacy Directive and the GDPR, companies have been applying questionable procedures to launch cookies on the devices of millions of citizens. Most web-based data controllers used to present preselected tick boxes that, by default, made individuals accept cookies on their devices from the relevant website as well as a third-party website(s) until 2019 when Court of Justice of the European Union (CJEU) handed down a judgment in the Planet49 case, specifying that websites could no longer set cookies procedures to require positive action for the individual to opt-out of cookies based-tracking of their behaviour. The judgment was meant to address the rampant tracking of individuals' behaviour for marketing purposes by requiring them to untick preselected checkboxes if they wish to opt out. The preselected checkbox contravenes GDPR consent rules which require consent to be manifested by affirmative action. The CJEU's judgment has not changed cookies-based data collection as most websites  merely switched to different tricks.

Third Rule of Cookies—Two Clicks are Too Many

In December 2021, the CNIL imposed sanctions on Facebook and Google for the illegal use of cookies. According to the decision, FACEBOOK FRANCE made refusing cookies policy more difficult than accepting them. A Facebook user who wishes to log into FACEBOOK FRANCE would be shown a pop-up window (“Accept Facebook cookies in this browser”) which has two buttons —“Manage Data Settings" and "Accept Cookies." Users who click "Accept Cookies" consent to cookies being stored on their computers, whereas those who want to refuse have to take further steps. They have to click on "Manage Cookies" to see a second window which in turn has two buttons— "Accept Cookies" and "Reject Cookies". However, various cookies options in the second window are not preselected, so clicking "Accept" at this stage without further action does not lead to consenting to cookies use. Those who wish to accept some cookies can activate the enable button (slide button) and accept the cookies. However, the CNIL Tribunal argued that users should not be taken to the second window to refuse cookies while they can accept cookies on the first window with one click—two clicks are too many. In essence, the decision establishes that  rejecting cookies should be as easy as accepting them.

The CNIL has made a similar decision against Google’s cookies practice. Facebook submitted a screenshot of the expected cookies procedure update for Europe, including France. The change anticipated has been implemented as of January 2022.  The update changed  "Manage Data Settings" and "Accept all", respectively to “Other options” and “Allow all cookies”. In the second window (once the user clicks “other options”), the new button is entitled “Allow essential cookies only” which appears next to “Allow all cookies”. The CNIL Committee found these anticipated changes to be insignificant regarding the validity of cookies consent.  

Facebook's argument that for valid consent to be obtained, the GDPR does not require accepting and rejecting cookies to be equally easy was rejected. The CNIL clarified that the GDPR requires consent to be obtained freely. If accepting cookies is easier than rejecting them, individuals would be influenced to consent rather than make a free choice. This is consistent with a 2020 study (cited in the decision) that 93.1% of users who are given the option to manage their cookies setting in the second window accept the cookies without going to the second window. Fatigued by a constant request for consent, individuals accept the cookies without attempting to change their settings. Companies are capitalizing on this to collect data illegally from our devices. 

What Happens in the other EU Member States & the UK?

The decision of the CNIL being taken under the ePrivacy Directive is not subject to the GDPR’s one-stop-shop mechanism. Thus, it is binding on Facebook and Google only in France. Until all EU Member States, as well as the UK, take similar steps, both companies are unlikely to change their cookies use practice in other countries. Many other companies still use dubious cookies policies. The majority of the websites give the user the opportunity to reject cookies only with the second click, i.e., at the second window, while users can accept the cookies with one click. 

Companies that have this type of cookie setting include social media giants such as  Twitter and Instagram, news sites such as the New York Times and the Washington Post and brick and mortar companies such as Barclays UK. Even public institutions, including universities, have similar data collection and analysis practices. All these companies have cookies settings that do not comply with the GDPR/ePrivacy Directive as interpreted by the French DPA. It is only a matter of time before other DPAs follow the footstep of the CNIL.


Photo credit: Eran Sandler, via wikimedia commons


  1. One of the reasons user click 'accept' without reading the text is that - since every website now has a cookie popup - you would do nothing else all day if you did. I might have consented to all sorts of things without knowing. A much better solution would be to allow the user to predefine which categories of cookies they will accept/decline/want to be notified of in their browser settings and let the browser notify the site.

  2. Informative post. But how about the increasing abuse of 'justified interest' boxes, which are already ticket, and sometimes extend to all kind of situations that previously fell under the cookie regime? High time for a CJEU case on that perhaps. I'd appreciate any insight on this.