The Spanish Data Protection Agency (SDPA) has imposed a fine of 10,000 euros on those who have previously checked the data protection boxes when collecting a data subject's consent.
An opportunity to recall the rules on consent evoked by the Court of Justice of the European Union (CJEU) and taken up by the French CNIL on the issue of pre-ticked boxes.
The CJEU's interpretation
In a judgment of October 1, 2019, the Court had indicated that consent is not validly given when the storage of information is authorized by means of a box checked by default, which the user must uncheck in order to refuse to give consent (CJEU, 1 October 2019, C-673/17).
It retained this solution again in a judgment of November 11, 2020 (CJEU, November 11, 2020, C-61/19), stating that the box having been ticked by the data controller prior to the signature of this contract is not such as to demonstrate that this person has validly given his consent.
Recital 32 of the GDPR : « Silence, pre-ticked boxes or inactivity should not therefore constitute consent ».
The criteria of validity of the consent recalled by the CNIL
The CNIL has repeatedly reminded us that four cumulative criteria must be met for consent to be validly obtained. The consent must be free, specific, informed and unambiguous.
According to the last criterion, consent must be given by a clear declaration or other positive act. No ambiguity as to the expression of consent can remain. Pre-checked or pre-activated boxes cannot be considered unambiguous.
Article 2.4. Deliberation No. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of recourse to "cookies and other tracers".