Data collection: pre-checked box doesn't constitute consent

Data collection: pre-checked box doesn't constitute consent
Maëva Vidal

The Spanish Data Protection Agency (SDPA) has imposed a fine of 10,000 euros on those who have previously checked the data protection boxes when collecting a data subject's consent.

An opportunity to recall the rules on consent evoked by the Court of Justice of the European Union (CJEU) and taken up by the French CNIL on the issue of pre-ticked boxes.

The CJEU's interpretation

In a judgment of October 1, 2019, the Court had indicated that consent is not validly given when the storage of information is authorized by means of a box checked by default, which the user must uncheck in order to refuse to give consent (CJEU, 1 October 2019, C-673/17).

It retained this solution again in a judgment of November 11, 2020 (CJEU, November 11, 2020, C-61/19), stating that the box having been ticked by the data controller prior to the signature of this contract is not such as to demonstrate that this person has validly given his consent.

Recital 32 of the GDPR : « Silence, pre-ticked boxes or inactivity should not therefore constitute consent ».

The CNIL has repeatedly reminded us that four cumulative criteria must be met for consent to be validly obtained. The consent must be free, specific, informed and unambiguous.

According to the last criterion, consent must be given by a clear declaration or other positive act. No ambiguity as to the expression of consent can remain. Pre-checked or pre-activated boxes cannot be considered unambiguous.

Article 2.4. Deliberation No. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of recourse to "cookies and other tracers".


Subscribe to our newsletter

We will send you a few emails to keep you informed of our news and what's new in our solution*

*You will always be able to unsubscribe on each newsletter. Learn more.

The protection of personal data: a necessary defense for the individual in case of abuse

The AEPD sanctioned a property syndicate for including, without consent, the phone number in the WhatsApp application, and for not respondin...

Maëva Vidal

Sanction of the operator Orange España: lack of verification the identity of the person concerned

The Spanish Data Protection Agency (AEPD) has fined Orange Spain €30,000 for illegally registering a telephone line in the name of a custome...

Maëva Vidal

CJEU ruling against Google: Right to oblivion extended against manifestly inaccurate information

In a ruling dated December 8, 2022, the Court of Justice of the European Union (CJEU) states that the search engine operator must dereferenc...

Margaux Morel

A small step for DPOs, a big step for data protection is free to try, easy to set up, and work seamlessly together.

Startup for free Ask for a demo

Free 30 day trial - No credit card required - No commitment