ECJ: Storing Cookies Requires User’s Active Consent
ECJ: Storing Cookies Requires User’s Active Consent
Authors: Irene Kyriakides, Effie Mitsopoulou, KG Law Firm
On 1 October 2019, the European Court of Justice (the “ECJ”) handed down its long-awaited preliminary ruling on the meaning of consent regarding cookies following a request from the German Federal Court of Justice during a case between the Federation of Consumer Organisations and the lottery services provider Planet49 GmbH (Case C673/201, Planet49 GmbH v. Bundersverband der Verbraucherzentralen und Verbraucherverbaende – Verbraucherzentrale Bunderverband e.V). In a nutshell, Planet49 GmbH operated an online lottery scheme which (i) asked via a pre-ticked box for user’s consent for placing web analytics cookies and (ii) required users to provide mandatorily their consent to receiving marketing emails by third parties as a precondition for their participation in the lottery.
With regard to the first checkbox, the ECJ reiterates that according to the ePrivacy framework prior user’s consent must have been acquired before non-essential cookies, namely cookies not technically indispensable for the operation of the website, are stored on their technical equipment. Cookies are small text files that are stored on the users’ device each time they visit a website and track their surfing behavior. Interestingly, the Court clarifies that consent, within the meaning of the ePrivacy Directive, to the storage of and access to cookies on user’s equipment should meet the same validity requirements set forth by the GDPR. In essence, cookies consent required under ePrivacy Directive should be given by a statement or clear affirmative action, signifying unambiguously user’s consent to the proposed processing, such as by ticking a box or choosing technical settings. Therefore, on the grounds that consent can never be tacitly given or implied, cookies consent by way of an already pre-ticked checkbox cannot be regarded as an active indication of choice on the user’s part and thus perceived as valid. Furthermore, the ECJ opines that in line with GDPR standards the user shall be presented, prior to giving consent, with clear and comprehensive information, including information on the duration of the cookies and third-party access to cookies. Most importantly, the Court ruled that the above requirements apply regardless of whether the cookies at hand involve data processing.
The ECJ’s judgment constitutes a milestone regarding cookies rules since it favors the rights of end users and signals a major shift in the approach towards cookies. That said, the decision provides the long-desired clarity regarding the standard for cookies consent. Consent to cookies, either containing personal data or not, has to be of GDPR – level: informed, freely given for a specific purpose and by means of an unambiguous indication of the data subjects’ agreement. Under these new standards for cookies consent, in all likelihood consent by continuing to browse a website or via browser settings will not be deemed as validly constituted. It is, therefore, time for companies falling within the scope of GDPR or national implementing laws (either operating in the EU or targeting EU customers) to reconsider their practices when using cookies in their websites or apps. Companies as data controllers should establish a consent mechanism for nonessential cookies by using cookie pop-ups/banners, adjust their consent forms to GDPR requirements and update their cookies policy so as to include information about the type of cookies used, as well as the purpose, lifespan and third party recipients of each of them. Moreover, although the ECJ did not fully address cookie consent, leaving unanswered the contentious question whether bundling consent to data processing with the right to access free ad-funded content is permitted, companies are well advised to take a second look at cookie walls techniques they might use.
Authors: Irene Kyriakides, Effie Mitsopoulou, KG Law Firm
On 1 October 2019, the European Court of Justice (the “ECJ”) handed down its long-awaited preliminary ruling on the meaning of consent regarding cookies following a request from the German Federal Court of Justice during a case between the Federation of Consumer Organisations and the lottery services provider Planet49 GmbH (Case C673/201, Planet49 GmbH v. Bundersverband der Verbraucherzentralen und Verbraucherverbaende – Verbraucherzentrale Bunderverband e.V). In a nutshell, Planet49 GmbH operated an online lottery scheme which (i) asked via a pre-ticked box for user’s consent for placing web analytics cookies and (ii) required users to provide mandatorily their consent to receiving marketing emails by third parties as a precondition for their participation in the lottery.
With regard to the first checkbox, the ECJ reiterates that according to the ePrivacy framework prior user’s consent must have been acquired before non-essential cookies, namely cookies not technically indispensable for the operation of the website, are stored on their technical equipment. Cookies are small text files that are stored on the users’ device each time they visit a website and track their surfing behavior. Interestingly, the Court clarifies that consent, within the meaning of the ePrivacy Directive, to the storage of and access to cookies on user’s equipment should meet the same validity requirements set forth by the GDPR. In essence, cookies consent required under ePrivacy Directive should be given by a statement or clear affirmative action, signifying unambiguously user’s consent to the proposed processing, such as by ticking a box or choosing technical settings. Therefore, on the grounds that consent can never be tacitly given or implied, cookies consent by way of an already pre-ticked checkbox cannot be regarded as an active indication of choice on the user’s part and thus perceived as valid. Furthermore, the ECJ opines that in line with GDPR standards the user shall be presented, prior to giving consent, with clear and comprehensive information, including information on the duration of the cookies and third-party access to cookies. Most importantly, the Court ruled that the above requirements apply regardless of whether the cookies at hand involve data processing.
The ECJ’s judgment constitutes a milestone regarding cookies rules since it favors the rights of end users and signals a major shift in the approach towards cookies. That said, the decision provides the long-desired clarity regarding the standard for cookies consent. Consent to cookies, either containing personal data or not, has to be of GDPR – level: informed, freely given for a specific purpose and by means of an unambiguous indication of the data subjects’ agreement. Under these new standards for cookies consent, in all likelihood consent by continuing to browse a website or via browser settings will not be deemed as validly constituted. It is, therefore, time for companies falling within the scope of GDPR or national implementing laws (either operating in the EU or targeting EU customers) to reconsider their practices when using cookies in their websites or apps. Companies as data controllers should establish a consent mechanism for nonessential cookies by using cookie pop-ups/banners, adjust their consent forms to GDPR requirements and update their cookies policy so as to include information about the type of cookies used, as well as the purpose, lifespan and third party recipients of each of them. Moreover, although the ECJ did not fully address cookie consent, leaving unanswered the contentious question whether bundling consent to data processing with the right to access free ad-funded content is permitted, companies are well advised to take a second look at cookie walls techniques they might use.