TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | CJEU clarifies cookie consent requirements Related reading: Notes from the IAPP, Sept. 6, 2019

rss_feed
PrivacyTraining_ad300x250.Promo1-01
9, 18

On Tuesday, the Court of Justice of the European Union issued a highly anticipated ruling on the scope of consent requirements with respect to cookie compliance. While the key points of the decision did not come as a big surprise to the privacy community, it will likely require many website operators to re-evaluate and update their cookie consent practices.

Importantly, with today’s decision, the CJEU established that consent cannot validly be obtained through the use of pre-checked boxes. The ruling resolves several specific questions about how consent can be validly obtained under the current EU data protection regime, including both the ePrivacy Directive and the EU General Data Protection Regulation.

Background

The Federal Court of Justice in Germany, the Bundesgerichtshof, requested a preliminary ruling from the Court of Justice of the European Union regarding two questions on the meaning and application of Article 5(3) and Article 2(f) of Directive 2002/58/EC in conjunction with Article 2(h) of Directive 95/46/EC and Article 6(1)(a) of Regulation 2016/679.

The case involved participation in a lottery organized by Planet49 GmbH, an online gaming company. To enter the lottery, internet users were prompted to enter their postal codes, names and addresses, then presented with two checkboxes accompanied by explanatory texts. The first checkbox required the user to agree to be contacted by other firms for promotional offers. The second checkbox, which contained a pre-selected tick, required the user to consent to the installation of cookies on their device. In order to participate in the lottery, the first checkbox needed to be ticked.

The questions referred to the CJEU concerned consent, namely, whether valid consent had been obtained for storing information and for storing cookies on a user’s terminal equipped if it has been sought “by way of a pre-checked checkbox which the user must unselect to refuse his consent.” The CJEU was also asked to clarify whether information service providers need to give users information specifically about the duration of the operation of the cookies and whether third parties are given access to them.

Key points

Consent must be obtained through active behavior

Reading the consent provisions under Directive 95/46 and Regulation 2016/679 as requiring consent to be obtained through some active behavior on the part of the user, the CJEU decided that a pre-ticked box does not constitute valid consent by the data subject.

As the wording of Article 5(3) of Directive 2002/58/EC is that the user must have “given his or her consent” to the storage of and access to cookies on their terminal equipment, the court conceded that it “does not … indicate the way in which that consent must be given.” However, regarding the phrase “given his or her consent,” the court argued that it “lend[s] itself to a literal interpretation according to which action is required on the part of the user in order to give his or her consent.”

Article 2(h) of Directive 95/46 defines “data subject’s consent” as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Within this definition, the CJEU’s opinion and judgment focused on the term “indication,” which it argued, “clearly points to active, rather than passive, behaviour.” The court also noted that the consent is even more stringently defined under the GDPR and that the notion of “[a]ctive consent is thus now expressly laid down in Regulation 2016/679.”

Accordingly, if a user’s designation of consent is pre-formulated, the user is not giving active consent. As the advocate general stated, and as acknowledged in the CJEU’s judgment, “requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. … By contrast, requiring a user to tick a box makes such an assertation far more probable.” Indeed, Recital 32 of the GDPR lists “ticking a box when visiting an internet website” as an example of how valid consent can be obtained from a user.

Moreover, in his opinion, the advocate general also linked the notion of active consent to that of separate consent. While the court’s judgment did not include this, he argued that it “appears … doubtful” that bundling an expression of consent with the expression of another intention would be in conformity with the notion of consent under Directive 95/46.

Consent requirements also apply to the processing and storage of information that is not personal data

As the CJEU noted, Article 5(3) of Directive 2002/58 refers to the “storing of information, or the gaining of access to information already stored,” so any such information would have privacy implications regardless of whether or not it constituted personal data within the meaning of Article 4(1) of the GDPR. Recitals 24 and 25, as well as opinions of the Article 29 Working Party, corroborate this view that the information need not be personal data for Article 5(3) of Directive 2002/58 to apply.

Users must be provided information on cookie duration and access by third parties

Finally, regarding the question of what information the service provider must give to provide clear and comprehensive information to the user in accordance with Article 5(3) of Directive 2002/58, the court ruled that this includes the duration of the cookies and if third parties have access to them.

Unresolved issues

While it provided much-needed clarity on the more technical components of valid consent, it left open question as to whether the requirement for consent to be “freely given” (under Article 2(h) of Directive 95/46 and of Article 4(11) and Article 7(4) of Regulation 2016/679) is compatible with requiring a user to consent to the processing of their personal data for advertising purposes as a prerequisite for participation in a promotional lottery.

A judgment on this point would have brought much-needed clarity to the unresolved problem of so-called “cookie walls.” The choice to condition entrance to a website on the acceptance of cookies remains troublesome given the divergence of opinion among national data protection authorities on the issue. Although several DPAs (France, Germany, the Netherlands) have considered cookie walls not to be allowable under the GDPR, at least one — the U.K. Information Commissioner's Office — appears to be “sitting on the fence on this — at least for the moment.”

Consent is a critical topic that both lawmakers and privacy professionals continue to work toward better regulating, as well as implementing in practice. As pre-ticked boxes will likely fade into historical memory, more questions will undoubtedly arise about whether specific consent mechanisms are valid under the EU’s data protection regime. While the judgment demonstrates that consent must be obtained by “active” behavior, it will be interesting to see how website mechanisms change to meet this newly clarified standard.

Photo credit: Image provided by the Court of Justice of the European Union.

ICO, CNIL and German DPA revised cookies guidelines

In July 2019, the U.K. Information Commissioner’s Office and France’s data protection authority, the CNIL, published new guidance on the use of cookies. Though there are many similarities among both sets of guidance, there are differences. To help sort out the similarities and differences, Bird & Bird Partners Gabriel Voisin and Ruth Boardman, along with Bird & Bird Trainee Solicitor Clara Clark Nevola, have put together an easy-to-read chart. Issues in the table include whether the rules only apply to cookies and touch upon topics such as implied consent, territorial scope, grace period and whether cookie walls are allowed.

5 Comments

If you want to comment on this post, you need to login.

  • comment Jonathan Figgis • Oct 2, 2019
    Great to get some clarity around this subject. I had a very well known company tell me that they could use pre-ticked boxes as a "soft opt-in" under ePrivacy however I was sceptical as I was not freely giving consent. I had to opt-out which to me shouldn't be the default since 25th May 2018. Thanks for the update, Müge!
  • comment Johan van Soest • Oct 2, 2019
    I was wondering if the second ruling: "Article 2(f) and Article 5(3) of Directive 2002/58, as amended by Directive 2009/136, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679." has an impact on the so called Functional Cookies that are now widely accepted as not requiring consent.
  • comment Müge Fazlioglu • Oct 2, 2019
    Thank you, Jonathan. Glad it was useful to you!
  • comment Müge Fazlioglu • Oct 2, 2019
    Hi Johan! I also don’t think that was addressed explicitly in this case, but I would expect more clarity in future discussions regarding ePrivacy. Related to your point, there was an amendment made to Recital 21 of the council’s ePR compromise proposal to exempt IoT devices from consent requirements, but it might be early to tell, so we will see.
  • comment Cormac Clancy • Oct 3, 2019
    Johan, when you say  "Functional Cookies that are now widely accepted as not requiring consent" I have to ask: 'Widely accepted by whom?'.    And also, how are you defining "functional cookies"?  Firstly, it seems to me that the ruling at (2) affects the consent requirement of all cookies which require consent under 2002/58.  If you define "functional" as having different characteristics then "strictly necessary" then of course the ruling applies. If you don't ascribe different characteristics, then why are you labelling them differently? 
    I think the phrase "widely accepted" is often used as meaning "everyone else is doing it, so I'm going to do it also - even if it's wrong". Some sites are broadening the meaning of "strictly necessary" to extraordinarily wide parameters.   In much the same way as sites are using the mechanism of "if you continue to use this site you consent.......". Continuation of use, in and of itself, just cannot be an "affirmative act of consent".