New European judgment on cookies
Pre-ticked checkboxes do not constitute a valid consent
Pre-ticked boxes do not meet the requirement for an affirmative consent imposed by the ePrivacy Directive, the Data Protection Directive and the GDPR. The court held that there should be an active behavior on the part of the user. Otherwise, it is “practically impossible to clarify in an objective manner whether the user of a website has actually given his consent to the processing of his personal data ”and “ it cannot be ruled out that the user may not have read the information attached to the checkbox or that he may not have noticed this box…”.
Same rules apply to all cookies irrespective of whether they store or access personal data of the users
The CJEU confirmed that the provisions on cookies of ePrivacy Directive aim “to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data”. Practically speaking, even if cookies do not collect any user’s personal data (which will be rarely the case), the website publisher should make sure that it complies with the ePrivacy Directive.
The CJEU explained that clear and comprehensive information should permit the user to easily determine the consequences of his or her consent. Such information should be unambiguous and clearly comprehensible to the average internet user, and sufficiently detailed to permit the user to understand the cookie functionality. Furthermore, the website publisher should provide information on the duration of the operation of the cookies and on whether third parties have access to the cookies.
What website publishers are required to do?
In view of the CJEU’s judgment, website publishers should:
- Amend their cookie notices to include information on the duration of cookies and on third party recipients for each cookie, as well as any other necessary information required under the GDPR that would allow users to understand how each cookie functions; and
- Ensure that their cookie banners operate strictly on the basis of an opt-in consent, so that there are no pre-ticked boxes or other techniques of passive or implied consent.
Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, firstname.lastname@example.org