February 24, 2020

How to Obtain GDPR Cookie Consent after CJEU Cookie Ruling

In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.

In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.

Storing or accessing non-essential cookies such as the ones utilized for targeted advertising requires active consent from users. Implied or assumed consent violates the ePrivacy Directive’s requirements as well as the GDPR’s.

Following the CJEU ruling on cookie consent, websites that have leveraged opting EU consumers into tracking cookies through implied or assumed consent need to reform their practices.  Do you know when a cookie banner is needed?

The Planet49 Case 

In 2013, Planet49 GmBH, a German gaming firm, set up a promotional lottery. To become part of the final draw, users were required to provide their name, address, and postcode. Under the input fields for their address, users were given two descriptive statements coupled with checkboxes. Essentially; 

  • The first checkbox, which was unticked, required users to give consent to Planet49’s sponsors and partners for sending them promotional information via post, phone, e-mail, or SMS.
  • On the other hand, the second checkbox, which was pre-checked, required users to consent to Planet49 and its partners using cookies on their device to gather crucial personal data for internet-based advertising.

Interestingly, the lottery's terms and conditions stated that users could only take part if at least the first checkbox was ticked. Nonetheless, they could opt-out of the use of cookies, if they unchecked the second checkbox manually.

The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.

Key Takeaways from the CJEU’s Ruling on the Planet49 Cookie Consent Case

Valid Consent

Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD. 

The Court expressed that the consent must constitute a freely given, specific and informed indication of users' wishes, which may be manifested in the form of "ticking a box when visiting an internet website"

Processing and storage of information that is not personal data

The CJEU noted that Article 5(3) of the ePrivacy Directive refers to the “storing of information or the gaining of access to information already stored.” 

Therefore, any such information has privacy implications regardless of whether or not it constituted personal data within the meaning of Article 4(1) of the GDPR. 

Cookie duration and access by third parties

Lastly, wherein it was inquired that article 5(3) of the ePrivacy Directive shall be interpreted in a way that the data processor is required to provide information on the duration of cookie operations and whether third parties have access to the cookies, or not, the Court ruled that websites operators must inform users;

  1. The duration for which their data is processed in line with Article 13(2)(a) of the GDPR
  2. Whether or not third parties have access to the information, and if so, which third-parties

Cookie Consent Practices Considered Non-Compliant with GDPR after the CJEU Ruling

Before the CJEU made its ruling on the Planet49 case, website operators employed different approaches to meet the cookie consent requirement. They include;

  • Assumed consent from website use
  • Notice-only approach
  • Combination of implied consent and affirmative action
  • Implied consent

Assumed Consent from Website Use

‘By continuing to use this website, you agree to the use of cookies’

This practice informs the user that the website operator has already installed cookies on the user’s device and makes an assumption that the user will accept this. 

This approach is non-compliant because there is no specific action to provide consent and the cookies in question are placed by default.

Notice-only Approach

‘This website uses cookies to improve user experience. Click here to learn more.’

Some websites only provide a brief notice and overlook the consent requirement altogether. 

In some cases, it may be impossible to opt-out of cookies by altering the settings.

Combination of Implied Consent and Affirmative Action

‘We use cookies to improve and personalize your experience. By continuing to use this site, you agree to the use of cookies [AGREE]’

Some platforms seem to be moving from the implied consent approach without fully abandoning it.

Essentially, the wording of the cookie banner states that using the website is equivalent to consent, but also provides an ‘Agree’ button.

The retention of implied consent to the use of cookies renders this approach non-compliant based on the determination of Planet49’s case.

Implied Consent

‘This website uses cookies to give you the best online experience. By accessing the website you agree to the use of cookies’

For a long period, this approach has been the most preferred technique by website operators to gain consent from users. 

The prevalence of this approach was supported by the fact that regulators had previously indicated that it is possible to imply users’ consent from their actions when this issue was specifically raised.

Nonetheless, regardless of whether the use of cookies is suspended until the user takes further action such as clicking on a link or not, this approach does satisfy the Planet49 decision test, which requires consent to be specific and not simply inferred from actions taken for other reasons.

Practical Recommendations for Obtaining Cookie Consent under the GDPR after the CJEU Cookie Ruling

From this ruling, it is evident that how companies employ cookies is of crucial importance to data protection authorities. 

To handle cookie privacy compliance risks, businesses should adopt the following measures;

  • Ensure that only cookies that are strictly necessary for the functionality of the website can be stored after the consumers’ affirmative action.
  • Ensure that analytics, advertising, and other related tracking cookies can only be placed after the user has offered their valid consent.
  • Provide a cookie banner and a cookie policy for all websites that utilize this technology
  • Make sure that the cookie banner contains a meaningful description of the reasons for the storage and use of cookies
  • Provide cookie banners that give users the options of accepting or rejecting the use of non-essential cookies 
  • Provide functionality that allows users to easily withdraw their consent on every website
  • Avoid using implied consent as the basis of placing cookies
  • Avoid the use of pre-ticked boxes for consent
  • Ensure that your website’s technical functionality demonstrates that consent is obtained freely

For more information on how we can help you obtain cookie consent legally under the GDPR, book a call with us today and speak with a data privacy compliance expert.

Alternatively, you can sign up for a free trial of our GDPR compliance solution.

Additional Resources;

Check out our detailed overview of the GDPR and ePrivacy Directive to learn more about compliance requirements

Click here to get your free GDPR and ePrivacy Directive e-book delivered straight into your inbox