90% cookies banners are wrong
Check any 10 websites and in 90% cases there will be the wrong cookies banner presented. And by wrong I mean – the user’s consent, banner tries to get, could not qualify as unambiguous.
General data protection regulation sets out crucial elements for consent to be valid: it must be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of his or her personal data. It could be done by a written statement, including by electronic means, or by an oral statement. This could include ticking a box, choosing technical settings or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.[1]
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.[2]
So this is silence we are going to speak about now. In all 90% websites you visit, you will see something similar to this statement:
Website A uses cookies to provide you with a greater user experience. By using Website A you accept our Cookie Policy.
It seems like a big mistake in interpretation was made by those who consider user’s conduct – further website surfing – as the one which clearly indicates the user’s acceptance of the proposed processing of his or her personal data.
The biggest question for all involved in a legal support of websites is whether the user’s subsequent usage of website could really be considered as a conduct rather than silence. On the one hand – it could. But if we look at it from required unambiguousness perspective, it will be quite easy to doubt that user really expressed his or her agreement to allow processing of personal data.
First, we all know that often we simply ignore cookie banner information, if website allows so, and using website without agreeing or declining the processing of our personal data. Which would mean that we have not seen the warning that subsequent usage of a website would be considered as a consent for processing. It also means that we have no intention to devote our time to the question, which is more important for the website than us. It is a website that needs our personal data. And this is our freedom to meet website’s wishes or not.
Having this in mind – does this seem a clear indication of the user’s acceptance of the proposed processing of his or her personal data? I would argue that not. Can ignorance be interpreted as a conduct? Or is it already obvious that it is silence we are speaking about.
If we go further, there is another aspect which proves that cookie banners, which are similar to provided example, are totally wrong. Take a look – website offers us to get acquainted with Privacy policy which located somewhere on a website. We go there and voilà – we already using the website and thereby providing our consent for the processing of data we just going to find out about. Does that look like informed consent? Again – no.
And while websites try to circumvent users’ rights and to flirt with valid consent interpretation, European Data Protection Supervisor together with other institutions explicitly provided that inactivity from a data subject does not indicate unambiguous consent. Which is the case for websites obtaining consent with statements such as “by using our services, you consent to the processing of your personal data”. In that case, websites have to ensure that users manually and individually consent to such processing. [3]
[1] General Data Protection regulation, Recital 32
[2] Ibid.
[3] Handbook on European data protection law, 2018 edition: Publications Office of the European Union, 2018., p.149