New European judgment on cookies
On October 1, 2019, the CJEU issued its long-awaited decision on an important case about consent for the use of cookies. The most significant points of the decision are the following:
Pre-ticked checkboxes do not constitute a valid consent
Pre-ticked boxes do not meet the requirement for an affirmative consent imposed by the ePrivacy Directive, the Data Protection Directive and the GDPR. The court held that there should be an active behavior on the part of the user. Otherwise, it is “practically impossible to clarify in an objective manner whether the user of a website has actually given his consent to the processing of his personal data ”and “ it cannot be ruled out that the user may not have read the information attached to the checkbox or that he may not have noticed this box…”.
Based on the above reasoning and despite the fact that the CJEU did not touch upon other commonly used techniques for getting the users’ consent, it is clear that other ways of passive or implied consent of the users for the use of cookies, such as continuing the web browsing in the website, would also be considered unacceptable.
Same rules apply to all cookies irrespective of whether they store or access personal data of the users
The CJEU confirmed that the provisions on cookies of ePrivacy Directive aim “to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data”. Practically speaking, even if cookies do not collect any user’s personal data (which will be rarely the case), the website publisher should make sure that it complies with the ePrivacy Directive.
Users should be given clear and comprehensive information on the use of cookies
The CJEU explained that clear and comprehensive information should permit the user to easily determine the consequences of his or her consent. Such information should be unambiguous and clearly comprehensible to the average internet user, and sufficiently detailed to permit the user to understand the cookie functionality. Furthermore, the website publisher should provide information on the duration of the operation of the cookies and on whether third parties have access to the cookies.
What website publishers are required to do?
In view of the CJEU’s judgment, website publishers should:
- Amend their cookie notices to include information on the duration of cookies and on third party recipients for each cookie, as well as any other necessary information required under the GDPR that would allow users to understand how each cookie functions; and
- Ensure that their cookie banners operate strictly on the basis of an opt-in consent, so that there are no pre-ticked boxes or other techniques of passive or implied consent.
Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org