In October 2019, the European Union’s Court of Justice (CJEU) ruled that using pre-ticked consent boxes for cookie placement is invalid whether they collect personal data or not.
Storing or accessing non-essential cookies such as the ones utilized for targeted advertising requires active consent from users. Implied or assumed consent violates the ePrivacy Directive’s requirements as well as the GDPR’s.
Following the CJEU ruling on cookie consent, websites that have leveraged opting EU consumers into tracking cookies through implied or assumed consent need to reform their practices.
The Planet49 Case
In 2013, Planet49 GmBH, a German gaming firm, set up a promotional lottery. To become part of the final draw, users were required to provide their name, address, and postcode. Under the input fields for their address, users were given two descriptive statements coupled with checkboxes. Essentially;
- The first checkbox, which was unticked, required users to give consent to Planet49’s sponsors and partners for sending them promotional information via post, phone, e-mail, or SMS.
- On the other hand, the second checkbox, which was pre-checked, required users to consent to Planet49 and its partners using cookies on their device to gather crucial personal data for internet-based advertising.
The German Federation of Consumer Organizations challenged Planet49’s practice of obtaining consent in the German courts and eventually asked the CJEU to interpret EU law to clarify whether consent by pre-checked boxes is a valid form of consent in general across the Union.
Key Takeaways from the CJEU’s Ruling on the Planet49 Cookie Consent Case
- Valid Consent
Pre-checked boxes to obtain cookie consent do NOT constitute valid consent according to Recital 17 of the ePrivacy Directive, Article 32 of the GDPR or the DPD.
The Court expressed that the consent must constitute a freely given, specific and informed indication of users’ wishes, which may be manifested in the form of “ticking a box when visiting an internet website”
- Processing and storage of information that is not personal data
The CJEU noted that Article 5(3) of the ePrivacy Directive refers to the “storing of information or the gaining of access to information already stored.”
Therefore, any such information has privacy implications regardless of whether or not it constituted personal data within the meaning of Article 4(1) of the GDPR.
- Cookie duration and access by third parties
Lastly, wherein it was inquired that article 5(3) of the ePrivacy Directive shall be interpreted in a way that the data processor is required to provide information on the duration of cookie operations and whether third parties have access to the cookies, or not, the Court ruled that websites operators must inform users;
- The duration for which their data is processed in line with Article 13(2)(a) of the GDPR
- Whether or not third parties have access to the information, and if so, which third-parties
Cookie Consent Practices Considered Non-Compliant with GDPR after the CJEU Ruling
Before the CJEU made its ruling on the Planet49 case, website operators employed different approaches to meet the cookie consent requirement. They include;
- Assumed consent from website use
- Notice-only approach
- Combination of implied consent and affirmative action
- Implied consent
Assumed Consent from Website Use
This practice informs the user that the website operator has already installed cookies on the user’s device and makes an assumption that the user will accept this.
This approach is non-compliant because there is no specific action to provide consent and the cookies in question are placed by default.
Some websites only provide a brief notice and overlook the consent requirement altogether.
In some cases, it may be impossible to opt-out of cookies by altering the settings.
Combination of Implied Consent and Affirmative Action
Some platforms seem to be moving from the implied consent approach without fully abandoning it.
Essentially, the wording of the cookie banner states that using the website is equivalent to consent, but also provides an ‘Agree’ button.
For a long period, this approach has been the most preferred technique by website operators to gain consent from users.
The prevalence of this approach was supported by the fact that regulators had previously indicated that it is possible to imply users’ consent from their actions when this issue was specifically raised.
Practical Recommendations for Obtaining Cookie Consent under the GDPR after the CJEU Cookie Ruling
From this ruling, it is evident that how companies employ cookies is of crucial importance to data protection authorities.
To handle cookie privacy compliance risks, businesses should adopt the following measures;
- Ensure that only cookies that are strictly necessary for the functionality of the website can be stored after the consumers’ affirmative action.
- Ensure that analytics, advertising, and other related tracking cookies can only be placed after the user has offered their valid consent.
- Provide cookie banners that give users the options of accepting or rejecting the use of non-essential cookies
- Provide functionality that allows users to easily withdraw their consent on every website
- Avoid using implied consent as the basis of placing cookies
- Avoid the use of pre-ticked boxes for consent
- Ensure that your website’s technical functionality demonstrates that consent is obtained freely
For more information on how we can help you obtain cookie consent legally under the GDPR, book a call with us today and speak with a data privacy compliance expert.
Alternatively, you can sign up for a free trial of our GDPR compliance solution.
Check out our detailed overview of the GDPR and ePrivacy Directive to learn more about compliance requirements
Click here to get your free GDPR and ePrivacy Directive e-book delivered straight into your inbox