In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.
In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.
Storing or accessing non-essential cookies such as the ones utilized for targeted advertising requires active consent from users. Implied or assumed consent violates the ePrivacy Directive’s requirements as well as the GDPR’s.
Following the CJEU ruling on cookie consent, websites that have leveraged opting EU consumers into tracking cookies through implied or assumed consent need to reform their practices. Do you know when a cookie banner is needed?
Explore more privacy compliance insights and best practices
In 2013, Planet49 GmBH, a German gaming firm, set up a promotional lottery. To become part of the final draw, users were required to provide their name, address, and postcode. Under the input fields for their address, users were given two descriptive statements coupled with checkboxes. Essentially;
Interestingly, the lottery's terms and conditions stated that users could only take part if at least the first checkbox was ticked. Nonetheless, they could opt-out of the use of cookies, if they unchecked the second checkbox manually.
The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.
Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD.
The Court expressed that the consent must constitute a freely given, specific and informed indication of users' wishes, which may be manifested in the form of "ticking a box when visiting an internet website"
The CJEU noted that Article 5(3) of the ePrivacy Directive refers to the “storing of information or the gaining of access to information already stored.”
Therefore, any such information has privacy implications regardless of whether or not it constituted personal data within the meaning of Article 4(1) of the GDPR.
Lastly, wherein it was inquired that article 5(3) of the ePrivacy Directive shall be interpreted in a way that the data processor is required to provide information on the duration of cookie operations and whether third parties have access to the cookies, or not, the Court ruled that websites operators must inform users;
Before the CJEU made its ruling on the Planet49 case, website operators employed different approaches to meet the cookie consent requirement. They include;
‘By continuing to use this website, you agree to the use of cookies’
This practice informs the user that the website operator has already installed cookies on the user’s device and makes an assumption that the user will accept this.
This approach is non-compliant because there is no specific action to provide consent and the cookies in question are placed by default.
‘This website uses cookies to improve user experience. Click here to learn more.’
Some websites only provide a brief notice and overlook the consent requirement altogether.
In some cases, it may be impossible to opt-out of cookies by altering the settings.
‘We use cookies to improve and personalize your experience. By continuing to use this site, you agree to the use of cookies [AGREE]’
Some platforms seem to be moving from the implied consent approach without fully abandoning it.
Essentially, the wording of the cookie banner states that using the website is equivalent to consent, but also provides an ‘Agree’ button.
The retention of implied consent to the use of cookies renders this approach non-compliant based on the determination of Planet49’s case.
‘This website uses cookies to give you the best online experience. By accessing the website you agree to the use of cookies’
For a long period, this approach has been the most preferred technique by website operators to gain consent from users.
The prevalence of this approach was supported by the fact that regulators had previously indicated that it is possible to imply users’ consent from their actions when this issue was specifically raised.
Nonetheless, regardless of whether the use of cookies is suspended until the user takes further action such as clicking on a link or not, this approach does satisfy the Planet49 decision test, which requires consent to be specific and not simply inferred from actions taken for other reasons.
From this ruling, it is evident that how companies employ cookies is of crucial importance to data protection authorities.
To handle cookie privacy compliance risks, businesses should adopt the following measures;
For more information on how we can help you obtain cookie consent legally under the GDPR, book a call with us today and speak with a data privacy compliance expert.
SCHEDULE A CALL
Alternatively, you can sign up for a free trial of our GDPR compliance solution.
Schedule a call to learn more
Check out our detailed overview of the GDPR and ePrivacy Directive to learn more about compliance requirements
Click here to get your free GDPR and ePrivacy Directive e-book delivered straight into your inbox
