GDPR: What the CJEU Cookie Ruling Means for Businesses

The Court of Justice of the European Union delivered a ruling on October 1, 2019, which stated that businesses must obtain active, freely given, specific, informed, and unambiguous consent from consumers before storing cookies in their devices.

The CJEU’s specific directive was that opt-out consent through a pre-checked checkbox is not adequate consent for the storage of cookies in users’ devices. This ruling applies to any website that employees tracking cookies, a majority of which do not seek GDPR-level consent.

What is the Background of the CJEU Cookie Ruling?

This case was brought to the CJEU after Planet49, a German online gaming company, presented its customers wishing to take part in its online lottery with two checkboxes whereby:

• The first checkbox requested the data subject’s permission to give sponsors and cooperation partners consent to provide the user with information about their businesses. This checkbox was unchecked by default, and the data subject actively had to select the box to indicate his or her consent.
• The second checkbox requested the data subject’s consent for the use of cookies that may allow Planet49 and other websites to track the data subject’s browsing activity across websites and to provide tracking data to advertising partners. This checkbox was automatically checked by default and the data subject had to actively deselect the box to opt-out of this use of his or her information.

The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.

What are the Key Issues the CJEU Addressed in the Cookie Ruling?

Question 1: Is a pre-checked checkbox that the user must actively untick to withdraw their consent constitute valid consent under the ePrivacy Directive, as well as the Data Protection Directive (DPD) and the General Data Protection Regulation (GDPR)?

CJEU Ruling: Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD. The Court expressed that the consent must constitute a freely given, specific and informed indication of users' wishes, which may be manifested in the form of "ticking a box when visiting an internet website"

Question 2: Does it matter whether the data stored or accessed using cookies is personal information?

CJEU Ruling: Regardless of whether cookies process personal data or not, clear, active consent is required from users.

Question 3: What kind of disclosures must be made to users as part of the transparency requirements of the ePrivacy Directive?

CJEU Ruling: Website operators must make prior disclosures to consumers about;

(i)The duration for which their data is processed in line with the GDPR

(ii)Whether or not third parties have access to the information, and if so, which third-parties

What Questions did the CJEU Cookie Ruling Fail to Clarify?

• The CJEU Ruling left open question of ‘cookie walls’ since it does not clarify as to whether the requirement for consent to be “freely given” under Article 2(h) of the DPD, as well as Article 4(11) and Article 7(4) of the  GDPR is compatible with requiring a user to consent to the processing of their data for advertising purposes as a prerequisite for participation in a promotional lottery.
• The Ruling also failed to clarify whether the question of implied consent amounts to violations of both the ePrivacy Directive and the GDPR.
• The CJEU did not offer guidance on how consent for different kinds of cookies should be obtained. The question of whether companies need to obtain uniform consent for all cookies or seek consent for each cookie was not addressed.
  

What is the Impact of the CJEU Cookie Ruling on Companies?

Following the cookie ruling, businesses need to;

• Obtain active, clear, and specific consent for the use of cookies. Pre-checked boxes should NOT be used. Similarly, implied consent in the form of, ‘by continuing to browse this website, you agree to the use of cookies’ should be avoided.
• Reform their cookie policy to make users aware of the duration of cookies they agree to
• Review their cookie policies to provide prior disclosure to consumers about third parties that have access to their information. In this case, the general statement that ‘third parties may have access to the cookie data’ is not enough. It is vital to identify every third-party individually.

Secure Privacy is a software solution that helps you handle cookie consent, monitoring, and control on your website in line with the requirements of the GDPR.

For additional queries or concerns, book a call with us today for personalized support on how to manage cookies on your website and become GDPR compliant. 

Additional Resources;

Learn more about GDPR and the ePrivacy Directive with our comprehensive summaries of the EU’s data protection laws

Download your free GDPR and ePrivacy Directive e-book straight into your inbox