Pre-ticked boxes are not valid forms of consent under the GDPR
Consent under the GDPR needs to be unambiguous
08 April 2020
On 4 March 2020, Advocate General Spuznar (AG) of the European Court of Justice (CJEU) delivered an Opinion in the Case C-61/19 (Orange România) confirming the CJEU's previous position on the strict requirements to be complied with in order to rely on consent as a lawful ground for the processing of personal data under the EU’s General Data Protection Regulation (GDPR).
The GDPR requires the processing of personal data to be justified on a limitative list of grounds, which include consent amongst others. Contrary to former Directive 95/46 which the GDPR amended, consent now requires, in order to be lawful :
- to be unambiguous,
- manifested through an affirmative action and
- by an informed data subject.
The CJEU ruled in Case C-673/17 ("Planet49") that a pre-ticked box on an online subscription form does not meet the requirement of an affirmative action by the data subject ; the lack of refusal by the data subject does not equate to consent for data protection purposes.
In a similar fact pattern, the Orange România case concerns the reliance of a telephone operator, in the context of their subscription agreements, on preticked boxes to keep copies of the identity documents of its customers.
Although it seems legitimate for an undertaking to ask customers to prove their ID for the purposes of the conclusion of a contract, requiring them to consent to the copying and storing of identity documents appears to the AG to go beyond what is necessary for the performance of the contract.
The AG also finds that the data processing is unlawful, the criteria for a valid consent being not fulfilled:
- Consent was not freely given. Customers needed to state their refusal to the data processing, in absence of which they were deemed to consent. The AG considers that such a refusal puts customers into a situation deviating from the "normal" conclusion of a contract. Customers facing this choice would therefore be compelled to consent, which leads the AG to conclude that such consent is not freely given.
- There was no affirmative action. Data subjects intending to enter into a contractual relationship do not take an active step when they are required to state (in handwriting in a standardised contract) their refusal to consent to the processing of their personal data, i.e., the photocopying and storage of their ID documents.
- The data subjects were not appropriately informed. In addition to the issues raised on the quality of the consent itself, Orange România fails to demonstrate that customers were appropriately informed of the processing of their personal data as required by the accountability principle under the GDPR. For the AG, such shortcomings in the internal processes of Orange România cannot be to the detriment of the customers.
The AG thus concludes that the data processing is unlawful.
Planet49 and Orange România highlight the strictness with which the CJEU - and consequently the data protection authorities responsible for fines in relation to unlawful data processing - interprets the criteria to obtain valid consent. Careful consideration should be brought to these criteria, and in particular to the active nature of the consent given by the data subject.
In cases where the obtention of valid consent is not certain, and where consent is not specifically required, it is recommended from a practical perspective that the processing of personal data be rather based on other possible grounds.
Key Take-Away Points
- Consent under the GDPR needs to be unambiguous, made through affirmative action, and by an informed data subject
- The CJEU and the AG held that pre-ticked boxes in an agreement do not constitute valid consent under the GDPR
- Other grounds for processing of personal data should be favoured over consent.
Camille Tulasne and Ottavio Covolo contributed to the writing of this article