How to Obtain GDPR CookieConsent after CJEU Cookie Ruling
In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.
Secure Privacy Team
·6 min read
Share:
In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.
Storing or accessing non-essential cookies such as the ones utilized for targeted advertising requires active consent from users. Implied or assumed consent violates the ePrivacy Directive’s requirements as well as the GDPR’s.
RELATED CONTENT
Continue Reading
Explore more privacy compliance insights and best practices
on cookie consent, websites that have leveraged opting EU consumers into tracking cookies through implied or assumed consent need to reform their practices. Do you know
In 2013, Planet49 GmBH, a German gaming firm, set up a promotional lottery. To become part of the final draw, users were required to provide their name, address, and postcode. Under the input fields for their address, users were given two descriptive statements coupled with checkboxes. Essentially;
The first checkbox, which was unticked, required users to give consent to Planet49’s sponsors and partners for sending them promotional information via post, phone, e-mail, or SMS.
On the other hand, the second checkbox, which was pre-checked, required users to consent to Planet49 and its partners using cookies on their device to gather crucial personal data for internet-based advertising.
Interestingly, the lottery's terms and conditions stated that users could only take part if at least the first checkbox was ticked. Nonetheless, they could opt-out of the use of cookies, if they unchecked the second checkbox manually.
The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.
Key Takeaways from the CJEU’s Ruling on the Planet49 Cookie Consent Case
Valid Consent
Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD.
The Court expressed that the consent must constitute a freely given, specific and informed indication of users' wishes, which may be manifested in the form of "ticking a box when visiting an internet website"
Processing and storage of information that is not personal data
The CJEU noted that Article 5(3) of the ePrivacy Directive refers to the “storing of information or the gaining of access to information already stored.”
Therefore, any such information has privacy implications regardless of whether or not it constituted personal data within the meaning of Article 4(1) of the GDPR.
Cookie duration and access by third parties
Lastly, wherein it was inquired that article 5(3) of the ePrivacy Directive shall be interpreted in a way that the data processor is required to provide information on the duration of cookie operations and whether third parties have access to the cookies, or not, the Court ruled that websites operators must inform users;
The duration for which their data is processed in line with Article 13(2)(a) of the GDPR
Whether or not third parties have access to the information, and if so, which third-parties
Cookie Consent Practices Considered Non-Compliant with GDPR after the CJEU Ruling
Before the CJEU made its ruling on the Planet49 case, website operators employed different approaches to meet the cookie consent requirement. They include;
Assumed consent from website use
Notice-only approach
Combination of implied consent and affirmative action
Implied consent
Assumed Consent from Website Use
‘By continuing to use this website, you agree to the use of cookies’
This practice informs the user that the website operator has already installed cookies on the user’s device and makes an assumption that the user will accept this.
This approach is non-compliant because there is no specific action to provide consent and the cookies in question are placed by default.
Notice-only Approach
‘This website uses cookies to improve user experience. Click here to learn more.’
Some websites only provide a brief notice and overlook the consent requirement altogether.
In some cases, it may be impossible to opt-out of cookies by altering the settings.
Combination of Implied Consent and Affirmative Action
‘We use cookies to improve and personalize your experience. By continuing to use this site, you agree to the use of cookies [AGREE]’
Some platforms seem to be moving from the implied consent approach without fully abandoning it.
Essentially, the wording of the cookie banner states that using the website is equivalent to consent, but also provides an ‘Agree’ button.
The retention of implied consent to the use of cookies renders this approach non-compliant based on the determination of Planet49’s case.
Implied Consent
‘This website uses cookies to give you the best online experience. By accessing the website you agree to the use of cookies’
For a long period, this approach has been the most preferred technique by website operators to gain consent from users.
The prevalence of this approach was supported by the fact that regulators had previously indicated that it is possible to imply users’ consent from their actions when this issue was specifically raised.
Nonetheless, regardless of whether the use of cookies is suspended until the user takes further action such as clicking on a link or not, this approach does satisfy the Planet49 decision test, which requires consent to be specific and not simply inferred from actions taken for other reasons.
Practical Recommendations for Obtaining Cookie Consent under the GDPR after the CJEU Cookie Ruling
From this ruling, it is evident that how companies employ cookies is of crucial importance to data protection authorities.
To handle cookie privacy compliance risks, businesses should adopt the following measures;
Ensure that only cookies that are strictly necessary for the functionality of the website can be stored after the consumers’ affirmative action.
Ensure that analytics, advertising, and other related tracking cookies can only be placed after the user has offered their valid consent.
Provide a cookie banner and a cookie policy for all websites that utilize this technology
Make sure that the cookie banner contains a meaningful description of the reasons for the storage and use of cookies
Provide cookie banners that give users the options of accepting or rejecting the use of non-essential cookies
Provide functionality that allows users to easily withdraw their consent on every website
Avoid using implied consent as the basis of placing cookies
Avoid the use of pre-ticked boxes for consent
Ensure that your website’s technical functionality demonstrates that consent is obtained freely
For more information on how we can help you obtain cookie consent legally under the GDPR, book a call with us today and speak with a data privacy compliance expert.
