Cookie Consent – GDPR


Our team: Eddie Powell, Joshua Bennett


The European Court of Justice (ECJ) has handed down a preliminary ruling in a case[1] focussing on the validity of consent obtained from internet users by means of pre-ticked checkbox, and information obligations regarding cookies. The ECJ was reviewing the cookie consent requirements in accordance with the Cookie Directive 2002/58/EC (Cookie Directive), and the General Data Protection Regulation 2016/679/EU (GDPR).

Background

The proceedings concerned participants in a promotional lottery organised by Planet49 GMBH, an online gaming company; participants entering the lottery were faced with a number of checkboxes including a pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time.

The pre-ticked checkbox authorised the collection and processing of the users personal data. Therefore the first question put before the ECJ was whether a lottery participant gave valid consent by way of a pre-ticked checkbox, which must be deselected to refuse his or her consent?

Pre-ticked checkboxes do not lead to valid consent

The ECJ found that whilst a user’s consent may be given by “ticking a box when visiting an internet website”[2], consent is defined as being “any freely given specific and informed indication[3]” of a user’s decision. The ECJ also reviewed the legislative origins of Article 5(3) of the Cookie Directive and concluded that the “user consent may no longer be presumed but must be the result of the active behaviour on the part of the user.”

The ECJ also highlighted that the definition of active consent under GDPR expressly precludes “silence, pre-ticked boxes or inactivity”. Therefore consent given in the form of a pre-ticked checkbox does not imply active behaviour on the part of a website user.

This led the ECJ to conclude that the mere fact a user selects the button to participate in the promotional lottery organised by a company, cannot be deemed sufficient to conclude that the user validly gave his or her consent to the storage of cookies.

Implications for different types of cookies

The ECJ also confirmed that its interpretation regarding consent to cookies, applies to any information stored or accessed on a website user’s terminal equipment regardless of whether it would be deemed personal data within the meaning of GDPR. In other words, the consent requirements set out above, apply to personal data and non-personal data.

Information obligations

Finally, the ECJ held that the list of information that the service provider must give to a website user when collecting information, includes the duration of the operation of cookies and whether or not their parties may have access to those cookies.

Conclusion

Whilst the ECJ’s Judgment is not a surprise, it does help to clarify the appropriate standard for cookie consent for EU member states, including the United Kingdom, that have implemented the Cookie Directive; namely that EU cookies, local storage use and similar technologies require active and explicit consent from the individual in the form of a statement or clear affirmative action. The ECJ’s conclusions also reaffirm the UK Information Commissioner’s Office’s post on Cookie Guidance[4] issued in July 2019 that says,

“the user must take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent”.

Therefore, further to the recent ICO’s recent Cookie Guidance[5], businesses and website operators are encouraged to undertake a ’cookie audit’; this involves completing a comprehensive review and update of all webpages and cookie policies to ensure that:

  • you ask for consent for all cookies, particularly those which are used for tracking, marketing and analytics;
  • you do not collect consent for placing cookies by using pre-ticked boxes; and
  • the website cookies policies include information on the duration of the operation of cookies; and documenting your findings and subsequent decisions. By taking such actions now, businesses and website operators will be suitably prepared for the potential introduction of the ePrivacy Regulation in the future.

———————————————————–

[1] Case C-673/17Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.

[2] Recital 17 of Directive 2002/58

[3] Case C-673/17

[4] https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf

[5] https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf

View by author:


Would you like to hear more?