After CJEU ruling, pre-ticked consent boxes could blow up in merchants’ faces
A Court of Justice of the European Union (CJEU) ruling late last year places much greater restrictions on how video game and other websites obtain users’ permission to collect and store their personal data. From now on, any company wishing to gather and use player or customer data must ensure consent is “freely given” through an “affirmative action.” The ruling, which gives the General Data Protection Regulation (GDPR) more bite, affirms a fine handed down by the court’s Advocate General panel against telecommunications firm Orange Romania for:
[Failure] to demonstrate that the data subject has, by active behavior, given his or her consent to the processing of his or her personal data and that he or she has obtained, beforehand, information relating to all the circumstances surrounding that processing, in an intelligible and easily accessible form, using clear and plain language, allowing that person easily to understand the consequences of that consent, so that it is given with full knowledge of the facts.
As a result, companies conducting web-based business in Europe must now comply with several new guidelines to show they obtained valid consent to handle customer information:
- Positive Consent – In accordance with established GDPR rules, customers’ consent must be freely given, specific, informed, and unambiguous. These requirements ARE NOT met by forcing site visitors to opt-out of sharing their data or by claiming consent as the default selection on a form. The court expressed that user “silence,” inactivity, or neglecting to deselect a pre-ticked box does not constitute validly given consent.
- Note on Cookies – Websites must obtain users’ positive consent before using cookies since many cookies store personal data. However, the use of “strictly necessary cookies,” or cookies that are essential for a user to browse a website and use its features, does not require consent. Despite this exception, it is best practice to disclose the use of strictly necessary cookies.
- Freedom of Choice – Tying consent to permission to use the site’s features or eligibility to order service is not permitted. For example, a company is not allowed to bar customers from signing up for cellular phone service or accessing content simply because they withhold permission to collect and use their data. Nor may they lead people to believe they may be excluded if they withhold personal information. The court ruled that forcing customers who wish to opt-out to fill out a separate form or handwrite a request that the company will not collect and store their information trammels their freedom of choice.
- Transparency – the data controller must be clear as to the purpose for collecting personal data and how it will be used. Informed consent only occurs when consumers can accurately judge the consequences of allowing the transfer of their personal information. GDPR requires controllers to demonstrate why collecting consumer data is lawful in their case, how long they will keep the personal statistics, and whether they will share it with third parties.
The burden of proof that valid informed consent has been properly obtained falls to the company collecting the data.
The CJEU heard the case after Orange Romania appealed a fine levied by the Romanian Data Protection Authority based on findings that the telecom had secured consent to store copies of customers’ identity documents by pre-ticking the “agree” space in their contracts. The practice, the authorities decided, negated the assumption that permission was freely given because customers were not required to take an active part in choosing to agree.
The company apparently followed the rules by providing customers information about why, how, and for how long it would keep copies of their documents and asked them to sign the consent form stating that “Orange România has provided the customer with all the necessary information to enable him or her to give his or her unvitiated, express, free and specific consent to the conclusion and express acceptance of the contract . . . ; he or she has been informed of, and has consented to [the copying and storing of their data].”
However, the affirmation of consent and the acknowledged receipt of the rationale were, at least in some cases, “pre-answered” for the trader in the form of the pre-ticked boxes. Those who refused to sign still could receive the same contracted service from the phone company as did consenters. However, they were asked to confirm their refusal by filling out an additional form. The authority held, and the court agreed, these actions constituted questionable methods for guiding customers to make certain choices. Such methods are also known as so-called “dark patterns.”
The ruling in Orange Romania and a previous judgment involving Planet49, a German online lottery, raises the privacy and consent bar for video game platforms, esports leagues and tournaments, online casinos, and other companies operating in the real-money and digital media niches. The ramifications extend well beyond European companies. Anyone who markets to or serves European consumers now must demonstrate that they give users full control over their consent decisions. Complete transparency, legally sound policies, and total exercise of free will have become the new standards that must be maintained.
Organizations that use pre-ticked consent permission and disclosure declaration forms, either online or on paper, will need to have those forms rewritten in precise legal language to protect both the consumer and the company. “Generic” or standard forms will no longer suffice in Europe. An attorney experienced in consumer and business contracts, as well as emerging digital technologies, can assure consent clauses pass the new, more stringent GDPR standards. A lawyer specializing in entertainment, video game, blockchain, and AR/VR law will craft documents that fully and accurately prove consent is freely given after receiving complete information on how site user personal data will be collected, stored, and used. Moreover, knowledgeable counsel can provide strategies to help companies guard against charges of misleading practices and failure to maintain substantive transparency.
Gamma Law is a San Francisco-based firm supporting select clients in cutting-edge business sectors. We provide our clients with the support required to succeed in complex and dynamic business environments, push the boundaries of innovation, and achieve their business objectives, both in the U.S. and internationally. Contact us today to discuss your business needs.