Pre-checked cookie consent boxes are not legally valid

I read an interesting TechCrunch article yesterday, entitled: Europe’s top court has ruled that pre-checked consent boxes for dropping cookies are not legally valid.

When the law was first announced that viewers were required to give their consent for cookies, I think everyone kind of interpreted that in their own way:

  • Go over the top with consent popups
  • Add a notice saying cookies were in use
  • Simply ignoring the law and not doing anything

In fact, the whole law lead to my miserable experience browsing sites and having to dismiss all of the annoying popup consent forms. This experience is even worse if you browse a lot of news website from your phone.

I agree with the law to not be tracked without consent, but I don’t agree how we’re supposed to legally implement the solution for our visitors.

My own interpretation

I fell into the category of doing a half arsed job of adding a Cookie Notice saying something like:

This website uses cookies to delivery the best possible experience, whilst remaining GDPR compliant. (which I use not on this very site)

However, this is not compliant in the eyes of the law. Yes, it informs visitors that Cookies are in play and there is even a link that tells you a bit more about cookies. However, the notice assumes that the customer has already given their consent.

On this forum, I use 2 tracking cookies; Google Analytics to see how the site is growing and how to optimise it & ironically a Cookie Notice that knows if you’ve dismissed the box.

But what about eCommerce?

How badly are eCommerce businesses affected?

Take a look at these points. In the eyes of the law only Essential cookies are allowed to be enabled by default. The customer has to physically go out of their way to activate everything else.

Cookie Type Description Example State
Essential Essential cookies are a website’s basic form of memory, used to store the preferences selected by users on a given site. As the name implies, they are essential to the website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to prevent users from having to log in each time they visit a new page in the same session. Logging in and checking out Enabled
Performance and functionality These cookies are used to enhance the performance and functionality of your website, but are not essential to its use. However, without these cookies, certain functionality (like videos) may become unavailable. Live Chat Disabled
Analytics and customization Analytics and customization cookies track user activity so website owners can better understand how their site is being accessed and used. Google Analytics and A/B Testing Disabled
Advertising Advertising cookies are used to customize the user’s ad experience on a website. Using the data collected from these cookies, websites can prevent the same ad from appearing again and again, remember user ad preferences, or tailor which ads appear to users based on their activities. Abandoned Carts Disabled
Social networking Social networking cookies are used for exactly that – they allow users to share content on social media platforms and help link activity between a website and third-party sharing platforms. Reviews Disabled

Pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law.

What to do?

Well, obviously we all need to follow the law… As do our competitors. However, acting now and becoming compliant means that our competitors get the “upper-hand” until they decide to become compliant.

So, should well “test our luck” until the last possible moment in order to hold onto our beloved features as long as we possibly can? The answer should be “No, I will become compliant right now” but my gut says otherwise.

Am I concerned?

From a forum point-of-view, not really. I don’t do any targeted advertising but it sucks that I don’t know who and why people are visiting the site.

From an eCommerce point-of-view, Hell yeah! As you’ve seen from the examples above, the law means having to disable all website features unless the customer explicitly says otherwise. Plus, how can we rely on our Analytics Data if it no longer tells the full picture. Comparing like-for-like data will be useless.

What are your thoughts and concerns on this topic? How does this affect you and your business? Have I missed a loophole? Can you think of any other features that won’t work unless the customer opts in? Let me know.

1 Like

I was recently on the website (looking at all the cars I couldn’t afford) and I noticed that their cookie acceptance button was labelled “Accept Recommended Settings”.

After a couple of minutes of digging, I noticed that the website appeared to be following the GDPR rules correctly. Which was to have all Cookie Disabled until the visitor opted in.

The way this was implemented is actually quite clever, because most people would just click “Accept Recommended Settings” to dismiss the box. However, it’s still all clearly marked up and legitimate.

Luckily for us, the tool they’re using is by a 3rd party called Civic and can be found here. There is a Free and a Paid option that allows for more customisation.

I’m yet to implement this myself but I just figured I’d share what I’d found in case anyone was looking for solutions.