Consent and Cookies in EU Knowledge Privateness Legislation— Two Clicks are Too Many





Dr Asress Adimi Gikay (PhD, SJD,
LLM), Lecturer in AI, Disruptive Innovation, Law Brunel Law School (Brunel
University London); Twitter: @DrAsressGikay


Consent and Data Protection in the European Union

European Union data
protection law is based on the conception that data protection is a fundamental
, something the General Data Protection Regulation (GDPR) upholds.
Thus, personal data processing requires complying with stringent legal
requirements. The GDPR prescribes that consent be specific, informed,
unambiguous and given freely,
requiring affirmative action by the individual. Over the years, companies have circumvented
the consent requirement by resorting to various tactics.

In December 2021,
the French Data Protection Authority, Commission
Nationale de l’Informatique et des Liberté
s (CNIL), imposed sanctions on
Facebook (€60 million) and Google (€150 million) for illegal use of cookies—against
the consent requirement. If Facebook and Google do not comply with the decisions
in three months from the decision date, they would be paying 100,000
for each day of non-compliance. The decision being made under the
ePrivacy Directive is not subject to the GDPR’s one-stop-shop
cooperation mechanism
, so the French decisions bind the companies concerned
only in France and would probably (if at all) affect cookies practice in other
industries in France only. Nevertheless, websites across the EU and UK are
non-compliant with the consent requirement in their use of cookies.

First Rule of Cookies— Consent— has Always Been Tricky

Despite data
protection law aiming to give individuals control over their personal
information through consent, researchers have argued that several challenges weaken
the individuals’ informational control
. Due to the sophistication of
privacy policies and the complex systems of data collection coupled with the individuals’
cognitive ability to process information
, they lack sufficient
informational control. In many cases, data collection consent forms or privacy
policies are adhesion
where the data subjects(individuals) have no power to bargain. This
is notwithstanding the fact that consent forms should be decoupled from the provision of
goods and services and not be imposed on the individual. Even if privacy
agreements were to be negotiable,  individuals
do not have the time to adequately scrutinize them due to information overload
coupled with challenges in understanding technical jargon.

In a 2020 Eurobarometer
survey conducted in EU Member states, 37% of the participants responded that
they do not read online privacy policies while 47% and 13% read them partially
and fully, respectively. Those who read privacy policies partially or do not
read them at all indicated that privacy policies are too long (66%) or unclear
and difficult to understand (31%). Some responded that it is sufficient for
them to know that the entity they deal with has a privacy policy (17%). While some
believed that they would be protected by law anyway (15%), others believed that
websites would not honour privacy terms (10%). The survey highlights that only
a small minority of individuals interacting over the internet read and
scrutinize privacy policies. The majority are not adequately protected by the
consent requirement even without the added challenge of cookies technology.

Second Rule of Cookies—No Preselected Tick Boxes

As data collection
in a traditional setting where the individual supplies the information and
consents to its processing is being more tightly regulated, companies have been
operating with more efficient data collection and analysis method—deploying
cookies. Cookies
are small text files that websites place on the user’s devices(terminal
equipment) as the user browses to allow the website to recognize the user’s
device and collect information about the user’s
browsing behaviour
. While cookies serve multiple purposes, including the
proper functioning of websites, they notably analyze the user’s browsing
behaviour for providing personalized advertisement(marketing cookies). As cookies can collect
personal data, their use should comply with personal data protection law—the ePrivacy
Directive & GDPR.

Although the primary
law governing cookies is the ePrivacy
, the consent requirement under that Directive is governed by the
GDPR. Despite the requirements of the ePrivacy Directive and the GDPR,
companies have been applying questionable procedures to launch cookies on the
devices of millions of citizens. Most web-based data controllers used to
present preselected tick boxes that, by default, made individuals accept
cookies on their devices from the relevant website as well as a third-party
website(s) until 2019 when Court of Justice of the European Union (CJEU)
handed down a judgment
in the Planet49 case, specifying that websites could
no longer set cookies procedures to require positive action for the individual
to opt-out of cookies based-tracking of their behaviour. The judgment was meant
to address the rampant tracking of individuals’ behaviour for marketing
purposes by requiring them to untick
preselected checkboxes
if they wish to opt out. The preselected checkbox
contravenes GDPR consent rules which require consent to be manifested by
affirmative action. The CJEU’s judgment has not changed cookies-based data
collection as most websites  merely switched
to different tricks.

Third Rule of Cookies—Two Clicks are Too Many

In December 2021,
the CNIL imposed sanctions on Facebook
and Google
for the illegal use of cookies. According
to the decision
, FACEBOOK FRANCE made refusing cookies policy more
difficult than accepting them. A Facebook user who wishes to log into FACEBOOK
FRANCE would be shown a pop-up window (“Accept Facebook cookies in this
browser”) which has two buttons —“Manage Data Settings” and “Accept Cookies.”
Users who click “Accept Cookies” consent to cookies being stored on
their computers, whereas those who want to refuse have to take further steps.
They have to click on “Manage Cookies” to see a second window which
in turn has two buttons— “Accept Cookies” and “Reject
Cookies”. However, various cookies options in the second window are not
preselected, so clicking “Accept” at this stage without further
action does not lead to consenting to cookies use. Those who wish to accept
some cookies can activate the enable button (slide button) and accept the
cookies. However, the CNIL Tribunal argued that users should not be taken to the
second window to refuse cookies while they can accept cookies on the first
window with one click—two clicks are too many. In essence, the decision
establishes that  rejecting cookies
should be as easy as accepting them.

The CNIL has made a
similar decision against Google’s
cookies practice
. Facebook submitted a screenshot of the expected cookies
procedure update for Europe, including France. The change anticipated has been
implemented as of January 2022.  The
update changed  “Manage Data
Settings” and “Accept all”, respectively to “Other options” and
“Allow all cookies”. In the second window (once the user clicks “other
options”), the new button is entitled “Allow essential cookies only” which
appears next to “Allow all cookies”. The CNIL Committee found these anticipated
changes to be insignificant regarding the validity of cookies consent.  

Facebook’s argument
that for valid consent to be obtained, the GDPR does not require accepting and rejecting
cookies to be equally easy was rejected. The CNIL clarified that the GDPR
requires consent to be obtained freely. If accepting cookies is easier than
rejecting them, individuals would be influenced to consent rather than make a
free choice. This is consistent with a 2020 study (cited in the decision)
that 93.1% of users who are given the option to manage their cookies setting in
the second window accept the cookies without going to the second window. Fatigued
by a constant request for consent, individuals accept the cookies without
attempting to change their settings. Companies are capitalizing on this to
collect data illegally from our devices. 

What Happens in the other EU Member States & the UK?

The decision of the
CNIL being taken under the ePrivacy Directive is not subject to the GDPR’s
one-stop-shop mechanism. Thus, it is binding on Facebook and Google only in
France. Until all EU Member States, as well as the UK, take similar steps, both
companies are unlikely to change their cookies use practice in other countries.
Many other companies still use dubious cookies policies. The majority of the
websites give the user the opportunity to reject cookies only with the second
click, i.e., at the second window, while users can accept the cookies with one

Companies that have
this type of cookie setting include social media giants such as  Twitter and Instagram, news sites such as the
New York Times and the Washington Post and brick and mortar
companies such as Barclays UK. Even public institutions, including
universities, have similar data collection and analysis practices. All these
companies have cookies settings that do not comply with the GDPR/ePrivacy Directive
as interpreted by the French DPA. It is only a matter of time before other DPAs
follow the footstep of the CNIL.


Photo credit: Eran
Sandler, via wikimedia



  1. [url=]Вывод из запоя в Уфе[/url]

    Центр «Спасение» – лидер в области лечения алкоголизма в Уфе. Наши специалисты работают по выводу из запоя с выездом к вам в любое время суток и готовы быстро помочь даже в самой сложной ситуации. Мы боремся за здоровую полноценную жизнь каждого пациента.

    Вывод из запоя в Уфе

Leave a Reply

Your email address will not be published.

You might like

© 2022 All in Cyrpto - WordPress Theme by WPEnjoy