back to article A pre-ticked box in web forms should NOT mean consent - EU report

Businesses will not be able to use pre-ticked boxes to gain user consent for the processing of their data under changes proposed by the European Parliament to new EU data protection laws. In a new report, Jan-Philipp Albrecht, a rapporteur for the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the …


This topic is closed for new posts.
  1. FartingHippo
    Thumb Up

    All seems very sensible

    Hurray for the EU!

    Oh my, did I just write that?

    1. Graham Dawson Silver badge

      Re: All seems very sensible

      Given that privacy legislation is a sole EU competence (partially under the lisbon treaty and partially under european human rights legisation that became our human rights act), and given it doesn't allow any subsidiarity in this particular area, it's not so much "hooray for the EU" as "we could have done this years ago if they weren't sitting on it".

      Ever wondered why UK privacy reform is so mealy-mouthed and bitty? They're having to work around the fringes of the problem because the EU doesn't allow national parliaments to act on this issue any more, so instead they legislate in areas where they can at least appear to be doing something. That's why were getting loas of bullshit laws criminalising everything and levying fines on everything else.

      1. Gav

        Re: All seems very sensible

        "We" are "they". The UK is part of the EU. The UK has just as much a hand in its legislation as any other member (Euro excepted). So the idea that the EU has been holding the UK back on striding forward to solve this problem is mistaken. In fact, given the current political make up of both governing bodies, it's a bit of a joke to suggest the UK would have done this ages ago if it hadn't been for the EU.

        1. Nuke

          @Gav - Re: All seems very sensible

          Gav wrote :- " The UK is part of the EU. The UK has just as much a hand in its legislation as any other member (Euro excepted)."

          It may be as much but it is not 100% as it would be if the UK controlled our own laws. Same goes for any other of those countries, who's citizens from time to time probably feel as frustrated as UK do - but probably about different matters because Italians, French, Romanians, whoever, clearly have a different midset on many matters from the British, and no doubt from each other too.

          And different climate. For me, as the owner of about 400m of wooden fencing, the last straw was the EU banning creosote. That might be all very well in dry countries like Greece and Spain, and for Germany where most people live in apartments, but not in the damp mists of the Welsh hills where I live.

          Whether the UK itself would be any better than the EU in its laws is a different matter, but there is no doubt that creosote would not have been banned here - just an example.

          And don't start about my using meters above rather than yards to claim I should love the EU. I like French wine and Italian food too as it happens. But you don't need to be in the EU to buy French wine, any more than you need to be in the Malaysian Federation to buy rubber tyres

          1. Tim Parker

            Re: @Gav - All seems very sensible

            "For me, as the owner of about 400m of wooden fencing, the last straw was the EU banning creosote. "

            The EU did not ban creosote - they regulated its use (restricted to professional users under certain circumstances). No massive hardship either way - creosote is fucking horrible stuff and a pain to apply properly to wood in a domestic setting and there are endless replacements for it of varying efficacy and ease of use (most considerably easier and more pleasant to use than creosote in a domestic setting, such as yours sounds).

            Sensible choices of wood types for particular uses also helps - e.g. woods such as Azobe or Jarrah for posts, buried structures and submerged (or partly) sub-merged location. Properly pre-treated timber, whilst not protected forever, should help keep maintenance to a sensible level as well.

            The carcinogenic issues of creosote are far from proven in humans, although a 'probable' or 'possible' rating is not completely without merit - but even so, given the amount of viable alternatives that are drastically less toxic overall and far more pleasant to use, i'm not convinced it's that bad that its use is restricted to a group of people who supposedly should know how, where and when to use it.

            1. FlatEarther

              Re: @Gav - All seems very sensible

              I can confirm that termites don't like jarrah, but will eat it if there's nothing better. However, they won't touch creosote soaked jarrah in a hundred years. They'd rather eat concrete

      2. Greg J Preece

        Re: All seems very sensible

        Ever wondered why UK privacy reform is so mealy-mouthed and bitty? They're having to work around the fringes of the problem because the EU doesn't allow national parliaments to act on this issue any more,

        Given their complete failure to act in cases of ISP wiretapping, etc, and their continued attempts to track as much citizen data as possible, do you honestly think the UK gov would give two hoots for your data privacy on its own?

      3. Matt 21

        Re: All seems very sensible @Graham Dawson Silver

        I don't think you can be right as I'm currently working in another EU country and here boxes must be unticked.

        I also have to agree with the other commentator who pointed out that the UK is part of the EU and involved in making decisions. It was interesting that Cameron recently threatened the veto, thus showing that the UK could have done that all along but chose not too. Basic policy for Labour and Tories is, unpopular policy, blame the EU.

      4. Alan Brown Silver badge

        Re: All seems very sensible

        ITYM they're trying as hard as possible to keep UK optin-in laws like the USA's ones and repeatedly being smacked down by the EU because of it.

        Writing clearly worded stuff is easy. Mealy mouthed stuff is only needed when you need something to do the opposite of what it appears to do.

  2. Dan 55 Silver badge

    Soon on a form/website near you...

    [ ] I consent to not having my information passed onto third parties.

  3. Simon Jones [MSDL]

    [ ] Don't tick this box...

    ...if you don't not want to not have your data not exploited.

    1. Ole Juul

      [ ] Don't tick this box...

      if you want us to tick it on your behalf.

      1. Khaptain Silver badge

        Re: [ ] Don't tick this box...

        Please be advised that by ticking this box we will own your Soul, for all of eternity and beyond.

        Sincerely yours E Schmidt.

    2. Anonymous Coward
      Anonymous Coward

      Re: [ ] Don't tick this box...

      I've seen a very similar worded option recently, not sure where (might have been British gas) along the lines of: Please check this box if do not want us to not pass your information to "selected" 3rd parties

      (Selected being ANYONE who will give us a couple of pence)

      1. Anonymous Custard Silver badge

        Re: [ ] Don't tick this box...

        And the other little trick that seems to be popping up too on a single form/page:

        [ ] tick here if you don't want us to send you spam.

        [ ] tick here if you consent to us selling your soul to third parties who will then send you spam.

        Set up of course so that people see the first one and tick it, but then follow instinct and also tick the second without pausing to fully read it and so actually opt into the second one.

        That kind of trick is also the spawn of Satan.

        1. Graham Marsden

          Re: [ ] Don't tick this box...

          [ ] If you do not tick this box we may not be able to send you vitally important information and little kittens may die horribly...

  4. James 51

    How much do you want to bet this gets spun as preventing innovation and more red tape that prevents companies growing and hiring more workers.

    1. Anonymous Coward
      Anonymous Coward

      I like the argument that says allowing businesses to fire workers easier would lead to more workers being hired.

      1. Lee Dowling

        And, presumably, the better workers at that.

        1. Tom 35

          Or just cheaper ones.

      2. Peter Gathercole Silver badge


        There's two points here.

        One is that it allows companies to hire more people in order to be able to select the ones worth keeping after three or six months, and the other is that companies are petrified by the redundancy conditions such that they do not take people on until absolutely necessary, for fear that having to make them redundant at a later date if there is a downturn in their business is so costly. This is also the reason why so many companies prefer to use agency staff until they know an increase is really justified, to avoid the redundancy packages.

        In both cases, if it was easier to get rid of workers more easily, companies might be prepared to employ more people.

        I personally would prefer to work for a company knowing that they could shed staff more easily if it stops the business going bust and everyone being made redundant, even it it did lessen my job security. There are some safeguards needed, but giving a company in difficulty the choice of going bankrupt because they keep too many employees on and have to keep paying them, or going bankrupt because the redundancy packages they have to offer can't be afforded, is no real choice at all. They both drag the company down.

        1. LDS Silver badge

          Re: @AC

          Sure, but to allow fully for that you should also get rid of "limited responsibility" types of company. If you make the owners (and shareholders) fully responsible and liable with all their properties of the company debts then workers could accept to be fired more easily. Otherwise you're going to fully protect one side while letting the other one fully exposed. A bad managed company that goes bankrupt and with lots of debts usually causes big damages to other ones when debts are not paid - often causing even more unemployment while bad owners and management often moved money away.

          "Creative destruction" has to work in all directions, not only in the one to make labour cheaper by blackmailing workers. And it's funny that this type of full capitalism was made real only in communist China... people should start to think why....

          1. Peter Gathercole Silver badge


            It's not quite that straight forward.

            Shareholders are already on the hook, as they are unlikely to get the money they invested back. They are just as much creditors as the workers who are owed pay.

            In the case of a company that is negligently driven into large debts, especially if money is owed to HMRC (in the UK), then the directors can be sued for corporate negligence, which can result in them being banned from becoming a director for a period of time, personally heavily fined, and in some cases, sent to prison, especially if fraud can be proved.

            Limited Liability companies do not offer complete protection, but I admit that there are ways of extracting value from such a company and walking away without the debts.

        2. Nuke
          Thumb Down

          @Peter Gathercole - Re: @AC

          Peter Gathercole wrote

          ".. companies ... do not take people on until absolutely necessary, for fear that having to make them redundant at a later date if there is a downturn in their business is so costly. many companies prefer to use agency staff until they know an increase is really justified, to avoid the redundancy packages. ...... if it was easier to get rid of workers more easily, companies might be prepared to employ more people."

          Doesn't work like that where I work. We have about 50% agency staff. About a year ago work was very slack, and I asked my boss why the agency people were all still sitting at their desks doing nothing. "But if we get rid of them" he said " it might be hard to get them back again when work picks up!"

          1. Gannon (J.) Dick

            Re: @Peter Gathercole - @AC

            Hang on to that boss.

            Even if he starts making comments about "full time monkey breeding rates" the occasional truth is a precious thing from the Managerial Class.

      3. This post has been deleted by its author

  5. Anonymous Coward

    I hate the forced assumption of unilaterial agreement to exploitation.

    Nothing a nastily worded email does not fix, to every arsehole in the management and company....

    But I'd rather trade with companies that don't do this stupid, "stand on your toes" bullshit.

    Satan - because she knows where to shove it.

  6. Phil O'Sophical Silver badge


    Will this also prevent the bypassing of the new cookie legislation, where every website now seems to popup a box that says, essentially, "We use cookies, tick here to agree. If you keep using the website we'll assume you have agreed anyway." with no possibility of saying "No"?

    Of course, there are cookie-blocking add-ons for browsers like Firefox, but that's not the point.

    1. Gav

      Re: Cookies?

      There is a way of saying "No". It is by not using the website.

    2. Neil Lewis

      Re: Cookies?

      The main reason there was a lot of back-pedalling over the cookies issue is simply that many sites people want to use simply cannot function without them. After the cookie regulations were passed, it soon became obvious that the the rules were practically unworkable.

      Cookies are not primarily used to send information about your browsing habits to third parties, but to allow the site you're using to provide the interactiveness you expect. They are not really necessary for simply browsing a news site or reading a forum, but as soon as you want to manage e.g. a shopping cart, a favourites list or even just individual user preferences then they are needed. Some things can be got around using data passed with page requests, but that's a very limited approach.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cookies?

        There was never a problem with site functionality and the EU cookie legislation. Cookies for things like shopping baskets were absolutely fine - the ICO said so.

        What happened was that advertising sales companies (and Google is one of those) screamed blue murder and claimed that the whole things was unbelievably, incredibly complicated and would break the internet, sometimes in ridiculous articles like this one.

        If large advertising agencies like the one I work for, plus online display advertisers had wanted to implement the cookie legislation, they could have done so without any real problems at all. It was in their interests to claim it was all impossible and complicated and expensive and badly drafted and the end of the world. And it worked.

        1. Nuno

          Re: Cookies?

          cookies are used to give state to a stateless protocol. Without them you are always a new user reaching the site for the first time ever.

          Of course you can avoid using cookies by passing the session variable on the URL, but for the user the consequences, for good and for bad, are the same.

          1. Phil O'Sophical Silver badge

            Re: Cookies?

            Which is why I didn't say "cookies" I said "the new cookie legislation".

          2. Anonymous Coward
            Anonymous Coward

            Re: Cookies?

            "Of course you can avoid using cookies by passing the session variable on the URL"

            I worked very hard to make my web site meet the spirit of the new rules.

            Cookies are optional - and only used to remember a user's details between totally separate visits to the site. While they are accessing any pages on the site - then any details are only remembered in "global" Javascript variables - not in browser data storage functions. This gives the user the ease of field data re-use when submitting FORMs from different pages.

            To allow the long-term cookies the user is given a clearly labelled box to tick on the pages that send the user's details in POST requests. If they tick/untick the box, at any time, then they are asked for confirmation that they want to allow, or delete, cookies.

            Of course that site is built and run for the benefit of the users - not its owners.

  7. Lockwood


    So... A default value of "I do not consent to tracking" is good, and a default of "I consent to tracking" is bad, in the eyes of the EU.

    How is Mr Apache, who's name I can't remember, going to take this?

    1. jnffarrell1

      Re: DNT or you are tracking my data to assist me. Hence protect my data.

      No App or web site has a legal right to my stuff no matter what they say about implied consent. Hence if I consent to storage of my stuff: content, email, search, locations, social, commerce must be in an encrypted (vault) with the keys to the vault requiring two human signatures. Obviously, assisting me to search and find my stuff and/or the web for stuff related to my stuff requires statistics that are derived from my stuff but can be decoupled from my identity by various means (some of which might become open standards).

      Every App that has my permission to touch my stuff should be treated like iCloud, Google Drive or any other contracted cloud service; my data must be protected while at the App and returned to me, or destroyed promptly at my request. None of this 'fine don't befriend my site/app but I'm keeping your snail-mail adresses, email, phone numbers, social and business contacts'.

  8. AndrueC Silver badge

    Very sensible. I doubt it'll make much difference though. I'm always careful to check/uncheck the 'Don't send me marketing crap' option but half of them still send it.

  9. auburnman

    I thought we'd thrashed this out years ago and decided that opt-in by default was not on. Did the lobbyists bury it last time?

    1. Raumkraut

      This is more about refining the definition of "opt in".

      Currently, we (usually) have "the customer opted in if this box is checked". What is being proposed is more like "the customer opted in if they manually checked this box".

  10. Anonymous Coward
    Thumb Up

    They can start with Adobe

    The pre-ticked box on the Flash download page that bundles McAfee foistware is very annoying when I'm updating Windows boxes.

    1. Graham Marsden

      It's not just Adobe...

      They can also start with all those downloads where if you don't un-tick the "Automatic Install" box, the pre-selected (by them) options will aso bundle in some bloody toolbar, switch your homepage, change your default search engine and other assorted BS!

      1. Graham Marsden

        Speak of the fucking devil...!!

        Zone Alarm has just prompted me that the free version of their firewall I'm running is out of date, so I need to download and install a new version.

        Fortunately I (of course) clicked "Custom Install" instead of "Automatic" because I found that the bastard thing would otherwise have tried to make Zone Alarm my home page, installed the Zone Alarm toolbar and make Zone Alarm my default fucking search!

        Not only that, but it wanted my e-mail address to register and had pre-ticked the bloody box that says "Inform me about product updates and security news".

        No. Fuck off. I don't want any of that shit and I don't think that my downloading free product justifies you trying to foist all that crap onto my computer!

    2. jnffarrell1

      Re: They can start with Adobe

      The assumption that you have the wherewithal to read the shyster-generated fine print associated with installing software on your PC was never true. Legal precedents about making contracts on computer screen were never valid. Now, with handheld devices that respond to voice and gestures made by people on the move, the laws pertinent to contracting with the handicapped apply. No way, 'give us rights to your stuff now or we let you stay lost' is not duress.

      1. Gabor Laszlo

        Re: They can start with Adobe

        Re. updating windows boxes:

        Re. TOS fine print:

  11. Anonymous Coward
    Anonymous Coward

    Can we have a rule that says in *all* cases, a checkbox being ticked means YES and a checkbox not being ticked means NO.

    This is to avoid the crafty buggers who invert the consent form to be opt out instead of opt in.

    1. Phil E Succour

      Absolutely, they should enshrine this in the law. All the messing about with double negatives and inverting the meaning of two adjacent tick boxes is obviously designed to confuse users, there can be no other purpose. Companies who do it should hang their heads in shame.

    2. Anonymous Coward
      Anonymous Coward

      So that you have to opt in to opting out, instead of opting out of opting in?

  12. lightknight

    Good show

    Wonderous. It seems the Europeans are thinking these days, more so than I can say for our local Americans. They seem to understand, almost as if they use the internet themselves, that harassment is not the way to go.

    I applaud their sensible efforts.

  13. Graham Marsden
    Thumb Up


    It seems that someone at the EU is *finally* getting a clue!

  14. Titus Aduxass
    Thumb Up

    And another thing

    "...suggested that dominant market players could not make "unilateral and nonessential" changes to contractual terms if consumers have "no option other than to accept the change or abandon an online resource in which they have invested significant time"

    Damn right.

  15. jnffarrell1

    Technical aspects of privacy could be addressed by open APIs

    Legal and technical aspects of internet use while preserving free speech and freedom from warrantless search of your stuff are inextricably related to 'privacy'. Systems studies of less complex issues have involved many months and numerous departments before acceptable alternative were found.

    The word 'unobtainium' was coined by engineers to describe some of the requirements drafted people who thought that if they wrote it, it could be built.

  16. Derichleau

    Long overdue

    This is long overdue. Let's face it, if UK companies actually understood the Regulation 22 rules then I am of the opinion that it's a pretty fair system. Unfortunately many don't. Regulation 22 states that a company can opt you in to marketing by default - so that the individual has to perform some kind of action to opt-out, only if they are collecting the information when making a sale or when someone is enquiring about a sale - obtaining a quote for example. In other words, if there's no possibility that submitting the form will result in a sale, such as a generic contract form, then you should be opted out by default. But if a company had a contact form that was specifically for contacting their sales department then that could be opted in by default.

    In a recent example I switched my electric provider to M&S, and the service is provided by SSE. As part of the account I was advised to create an online account with SSE, and in doing so they had opted me in to marketing by default on the registration form. But I purchased the electric from M&S and I purchased it before Christmas. So I've already done the deal and signed-up to the service so SSE should have me opted out by default - because I'm not registering with them to enquire about or make a sale; I'm registering with them to manage my account. As such, the Regulation 22 rules are not satisfied.

    So I'll be contacting SSE this week to remind them:

  17. Anonymous Coward
    Anonymous Coward

    Cookie banners

    The El Reg cookies bottom banner always strikes me as being unexpectedly unfriendly. They should have been able to come up with a better way to give users a choice.

  18. Anonymous Coward
    Anonymous Coward

    Implied consent nothing new, unfortunately

    This implied consent takes me back to the bad old days when I, in a desperate moment, would buy blank tapes or CDs from Dixons (remember them?) The drone behind the counter would take your money then ask for your address and postcode. You'd give it to them (this was in the days before identity theft was well known) and then, lo and behold, you got all kinds of junk mail for weeks/months/years afterwards. I twigged after the first time, and when I refused to give them my details, and even had the audacity to ask why they were asking for them, the drone would freeze and look blankly at me.

    Good for the EU, I if only they could do it here in the States...yeah, that'll never happen!

    Anonymous for obvious reasons!

  19. technohead95
    Thumb Up

    I'm so glad that this is now going to be implemented. This should have been done a long time ago as some companies do not even offer the opt out choice before you're already opted in by default.

  20. Anonymous Coward
    Anonymous Coward

    the tick boxes matter?

    I also say don't spam me, but seemingly it does not work.

    Maybe we can have another silly law so every (uk) website has a silly pop up asking me something irrelevant.

    Maybe the questions should be more practical, like "did you put the cat out?" or "have you set the video for missus", since its a given that the interweb will give you cookies and spam.

  21. Mike 137 Silver badge

    El Reg please note

    You might like to take note of this yourselves, starting with your annoying grey bar...

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021