I smile to myself when people say that data protection compliance is nothing more than a box-ticking exercise. (In all seriousness, that's not a smart approach to take.) But I’m willing to make an exception for the European Court of Justice, which issued a judgment this morning that actually is about ticking boxes.

The decision in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal doesn’t particuarly break new ground, but rather reinforces what we already know about consent to data processing in the EU, namely:

  • That it must be freely given, specific, informed and unambiguous; and
  • Silence, inactivity or pre-ticked boxes don’t meet this standard.

In this case, Orange’s template mobile phone contract contained a clause stating that customers had been informed of, and had consented to, the collection and storage of their ID documents for verification purposes. Crucially, the box relating to that clause had been pre-ticked by Orange. The ECJ also found that: 

  1. The contract potentially misled customers about the possibility of concluding the agreement even if they refused to give consent for the processing; and
  2.  Requiring customers to declare in writing that they weren’t willing to provide consent was liable to affect their freedom to choose.

This might all seem obvious, but lots of companies continue to use pre-ticked boxes to obtain consent. If you’re one of them, ask yourself: if you genuinely need an individual’s personal data, you likely can rely on another legal basis for processing (e.g., compliance with laws or your legitimate business interests). And if consent is the only option, it makes legal and reputational sense to do it right.

It'll ensure you avoid being boxed in by GDPR compliance.