New European judgment on cookies

11.10.2019

In its recent judgment in the “Planet49 case”, the Court of Justice of the European Union (“CJEU”) held that consent for cookies cannot be lawfully established through the use of pre-ticked boxes and that clear and comprehensive information should be given to the website users on the functionality of each cookie.

On October 1, 2019, the CJEU issued its long-awaited decision on an important case about consent for the use of cookies. The most significant points of the decision are the following:

Pre-ticked checkboxes do not constitute a valid consent

Pre-ticked boxes do not meet the requirement for an affirmative consent imposed by the ePrivacy Directive, the Data Protection Directive and the GDPR. The court held that there should be an active behavior on the part of the user. Otherwise, it is “practically impossible to clarify in an objective manner whether the user of a website has actually given his consent to the processing of his personal data  ”and “ it cannot be ruled out that the user may not have read the information attached to the checkbox or that he may not have noticed this box…”.

Based on the above reasoning and despite the fact that the CJEU did not touch upon other commonly used techniques for getting the users’ consent, it is clear that other ways of passive or implied consent of the users for the use of cookies, such as continuing the web browsing in the website, would also be considered unacceptable.

Same rules apply to all cookies irrespective of whether they store or access personal data of the users

The CJEU confirmed that the provisions on cookies of ePrivacy Directive aim “to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data”. Practically speaking, even if cookies do not collect any user’s personal data (which will be rarely the case), the website publisher should make sure that it complies with the ePrivacy Directive.

Users should be given clear and comprehensive information on the use of cookies

The CJEU explained that clear and comprehensive information should permit the user to easily determine the consequences of his or her consent. Such information should be unambiguous and clearly comprehensible to the average internet user, and sufficiently detailed to permit the user to understand the cookie functionality. Furthermore, the website publisher should provide information on the duration of the operation of the cookies and on whether third parties have access to the cookies.

What website publishers are required to do?

In view of the CJEU’s judgment, website publishers should:

  • Amend their cookie notices to include information on the duration of cookies and on third party recipients for each cookie, as well as any other necessary information required under the GDPR that would allow users to understand how each cookie functions; and 
  • Ensure that their cookie banners operate strictly on the basis of an opt-in consent, so that there are no pre-ticked boxes or other techniques of passive or implied consent.

 

Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)

 


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Höllwarthtobias.hoellwarth@eurocloud.org

VIEW PROJECT

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.