In Europe, Sites Can Only Track You If You Check the Box

Life online is rife with interruptions: Ads, auto-playing videos, paywalls (sorry!), requests to enable browser notifications, chat bubbles, extraneous toolbars, and interstitials all muddy the quotidian quest for content.

 

In recent years—thanks in part to last year’s rollout of the European Union’s General Data Protection Regulation—users have witnessed a surge in another type of digital distraction: the cookie consent box.

It’s that popup message often found stretching across the bottom of a webpage that implores you to accept cookies of some sort—usually accompanied by a slew of jargon—to continue using the site. Cookies are data files exchanged between a user and website operator that can be used to differentiate one user from another, provide continuity around the web, track browsing behaviors, and target ads.

Sometimes, users are given the option to select which types of cookies they will permit—e.g., Do you want the ones that tell Facebook and other advertisers exactly how long you spent browsing novelty T-shirts on a Sunday afternoon, or just the ones that allow the site to work?—and sometimes they are just left with a binary choice: Accept or go somewhere else. Often, it’s somewhere between the two. Some cookie consent boxes look binary but have hidden controls, others come with all of the boxes pre-ticked to accept all cookies; almost all are unnecessarily confusing interruptions to most users.

The mind-numbing nature of cookie consent boxes leads many to ignore them or click whatever option will make them go away, which is great for information-hungry companies, as it means a bevy of third parties can continue to slurp up each begrudging user’s data.

But sites that rely on these methods to track users’ online browsing habits could be in for a rude awakening, thanks to a decision by the European Court of Justice. The EU’s highest court ruled Tuesday that sites must get a user’s explicit affirmative consent to drop cookies, and that “a box checked by default is therefore insufficient.”

The decision specifies that companies should obtain separate instances of affirmative user consent for each use of a cookie, that they must list the names of all companies controlling the tracking technology, and that they must note the cookies’ duration.

It also specifies that consent cannot be rolled into seemingly unrelated actions, like downloading a PDF or accessing normal features of a site. The decision was made in reference to a German case involving online lottery company Planet49, which required users to accept cookies to enter a promotion. The German Federation of Consumer Organizations first sued Planet49 in 2013, alleging that the absence of user consent was against the law. A 2011 EU Directive known as the cookie law required companies obtain informed consent. These privacy protections were further strengthened in May 2018 with the implementation of GDPR, which classified cookies as personal data. Organization officials later brought the Planet49 case to Europe’s highest court, which means the decision has wide-reaching impact.

That will pose problems for the many sites and service providers that threw up a boilerplate cookie consent box to comply with GDPR. As one Twitter user noted, even the European court’s site appears to be out of compliance with the new privacy standards: