In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)).
The ECJ set clear requirements on what cookie consent must look like. However, the requirements for when websites must ask for cookie consent may vary from one EU member state to another as some member states, such as Germany, have not implemented the Cookie Directive and the Judgment, therefore, does not apply directly.
As a rule of thumb, it can be said that, at minimum, websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent.
The case involved a promotional lottery, which was presented with two checkboxes:
- A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (Marketing Checkbox)
- A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (Cookie Checkbox)
Consent obtained through pre-ticked cookie checkboxes is invalid
According to the ECJ, consent cannot be validly obtained through pre-ticked checkboxes for the following reasons:
- Above all, consent must be given by a statement or by a clear affirmative action. The ECJ acknowledges that requiring a user to untick a checkbox if they refuse the implementation of cookies does not constitute active consent.
- The ECJ raised the concern that users might not have read the information accompanying preselected checkboxes or might not have noticed the checkbox before continuing with their activity on the website. According to the ECJ, in these situations the consent does not satisfy the criterion of informed consent.
- The ECJ further argues that specific consent requires that the consent must relate to the particular data processing in question. In light of this requirement, the ECJ takes the view that the user's consent cannot be inferred from their click on the lottery participation button. The ECJ left open as to whether consent may still be freely given if the performance of a contract is conditioned on consent to process personal data that was discussed by the Advocate General Maciej Szpunar in its opinion with regard to the Marketing Consent (see more on our blog). However, the days of consent 'presumptions' derived from continued browsing activities are over.
Implications for different cookie types
In its press release on the Judgment, the ECJ states that "storing cookies requires internet users' active consent", without any further differentiation, in particular, between strictly necessary cookies, reach measurement cookies or tracking cookies. The ECJ takes the view that the cookie consent requirement applies regardless of whether or not the information accessed through the cookie is personal data within the definition of the GDPR. For German website operators, it is particularly important to note that this statement refers to the Cookie Directive. Any cookie requirements regarding technologies containing exclusively non-personal data are based on the Cookie Directive, not on the GDPR. The Cookie Directive, however, has not yet been transposed into German law in the view of the German supervisory authorities.
With regard to the question of what information the user must be given about the installed cookies, the ECJ made it clear that, inter alia, the duration of the cookies and any third-party access form part of the required information.
Now it is set in stone: EU cookies, local storage use and similar technologies require explicit, granular and informed consent. While the ECJ's Judgment was expected, it is nonetheless a welcome decision that removes any room for debate about the appropriate standard for cookie consent for EU member states that have implemented the Cookie Directive, such as the United Kingdom. As such, the Judgment serves as a warning for website operators who need to ensure that they do not collect consent for placing cookies by using pre-ticked boxes. Many websites will also have to update their cookies policies to include information on the duration of the operation of cookies.
However, for Germany and other EU member states that have not (properly) implemented the EU Cookie Directive, some key issues are still open. As Germany has not implemented the Cookie Directive, the ECJ Judgment does not translate directly into German law, despite the fact that the Planet49 case was brought before the ECJ from the German Federal Court of Justice (Bundesgerichtshof – FCJ). The FCJ will have to make a decision. In the meantime, supervisory authorities have started to "interpret" the Judgement and justify their position with the Judgement. According to their press release, the Supervisory Authority of North Rhine-Westphalia (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen – LDI NRW) concludes from the Judgment that, in principle, any cookies that are not necessary for the operation of a service require consent. The LDI NRW claims that their view would be in line with an orientation paper of the German Data Protection Conference (Datenschutzkonferenz des Bundes und der Länder – DSK) of March 2019. However, the LDI NRW's press release does not mention, for example, mere analytics cookies. According to the DSK, analytics cookies may be justified on the legal basis of legitimate interests and thus not require consent. It remains to be seen how the German legislator interprets the ECJ's cookie requirements, in particular with regard to tracking technologies involving non-personal data (for example, anonymised cookies for reach measurement), in course of the upcoming revision of the German Telemedia Act (Telemediengesetz) until the outstanding ePrivacy Regulation provides more clarity. At least for now, the recipe for GDPR-compliant cookies is still secret for Germany. It is disappointing to see that EU legislators and courts are unable to provide uniform interpretation of GDPR in areas that affect basically all businesses.
In the meantime, businesses are well advised to follow this rule of thumb: Websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent, for example, via a consent management tool. The decision is likely to be considered as part of the ongoing negotiations on the ePrivacy Regulation which, among other provisions, aims to regulate cookie usage. As such, we expect further development in this area. Keep an eye on this blog for updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.