Dr Asress Adimi Gikay (PhD, SJD, LLM), Lecturer in AI, Disruptive Innovation, Law Brunel Law School (Brunel University London); Twitter: @DrAsressGikay
Consent and Data Protection in the European Union
European Union data protection law is based on the conception that data protection is a fundamental right, something the General Data Protection Regulation (GDPR) upholds. Thus, personal data processing requires complying with stringent legal requirements. The GDPR prescribes that consent be specific, informed, unambiguous and given freely, requiring affirmative action by the individual. Over the years, companies have circumvented the consent requirement by resorting to various tactics.
First Rule of Cookies— Consent— has Always Been Tricky
Despite data protection law aiming to give individuals control over their personal information through consent, researchers have argued that several challenges weaken the individuals’ informational control. Due to the sophistication of privacy policies and the complex systems of data collection coupled with the individuals’ limited cognitive ability to process information, they lack sufficient informational control. In many cases, data collection consent forms or privacy policies are adhesion contracts where the data subjects(individuals) have no power to bargain. This is notwithstanding the fact that consent forms should be decoupled from the provision of goods and services and not be imposed on the individual. Even if privacy agreements were to be negotiable, individuals do not have the time to adequately scrutinize them due to information overload coupled with challenges in understanding technical jargon.
Second Rule of Cookies—No Preselected Tick Boxes
As data collection in a traditional setting where the individual supplies the information and consents to its processing is being more tightly regulated, companies have been operating with more efficient data collection and analysis method—deploying cookies. Cookies are small text files that websites place on the user’s devices(terminal equipment) as the user browses to allow the website to recognize the user's device and collect information about the user's browsing behaviour. While cookies serve multiple purposes, including the proper functioning of websites, they notably analyze the user's browsing behaviour for providing personalized advertisement(marketing cookies). As cookies can collect personal data, their use should comply with personal data protection law—the ePrivacy Directive & GDPR.
Although the primary law governing cookies is the ePrivacy Directive, the consent requirement under that Directive is governed by the GDPR. Despite the requirements of the ePrivacy Directive and the GDPR, companies have been applying questionable procedures to launch cookies on the devices of millions of citizens. Most web-based data controllers used to present preselected tick boxes that, by default, made individuals accept cookies on their devices from the relevant website as well as a third-party website(s) until 2019 when Court of Justice of the European Union (CJEU) handed down a judgment in the Planet49 case, specifying that websites could no longer set cookies procedures to require positive action for the individual to opt-out of cookies based-tracking of their behaviour. The judgment was meant to address the rampant tracking of individuals' behaviour for marketing purposes by requiring them to untick preselected checkboxes if they wish to opt out. The preselected checkbox contravenes GDPR consent rules which require consent to be manifested by affirmative action. The CJEU's judgment has not changed cookies-based data collection as most websites merely switched to different tricks.
Third Rule of Cookies—Two Clicks are Too Many
The CNIL has made a similar decision against Google’s cookies practice. Facebook submitted a screenshot of the expected cookies procedure update for Europe, including France. The change anticipated has been implemented as of January 2022. The update changed "Manage Data Settings" and "Accept all", respectively to “Other options” and “Allow all cookies”. In the second window (once the user clicks “other options”), the new button is entitled “Allow essential cookies only” which appears next to “Allow all cookies”. The CNIL Committee found these anticipated changes to be insignificant regarding the validity of cookies consent.
Facebook's argument that for valid consent to be obtained, the GDPR does not require accepting and rejecting cookies to be equally easy was rejected. The CNIL clarified that the GDPR requires consent to be obtained freely. If accepting cookies is easier than rejecting them, individuals would be influenced to consent rather than make a free choice. This is consistent with a 2020 study (cited in the decision) that 93.1% of users who are given the option to manage their cookies setting in the second window accept the cookies without going to the second window. Fatigued by a constant request for consent, individuals accept the cookies without attempting to change their settings. Companies are capitalizing on this to collect data illegally from our devices.
What Happens in the other EU Member States & the UK?
The decision of the CNIL being taken under the ePrivacy Directive is not subject to the GDPR’s one-stop-shop mechanism. Thus, it is binding on Facebook and Google only in France. Until all EU Member States, as well as the UK, take similar steps, both companies are unlikely to change their cookies use practice in other countries. Many other companies still use dubious cookies policies. The majority of the websites give the user the opportunity to reject cookies only with the second click, i.e., at the second window, while users can accept the cookies with one click.
Companies that have this type of cookie setting include social media giants such as Twitter and Instagram, news sites such as the New York Times and the Washington Post and brick and mortar companies such as Barclays UK. Even public institutions, including universities, have similar data collection and analysis practices. All these companies have cookies settings that do not comply with the GDPR/ePrivacy Directive as interpreted by the French DPA. It is only a matter of time before other DPAs follow the footstep of the CNIL.
Photo credit: Eran Sandler, via wikimedia commons