Time to update your cookie consent and policy! CJEU says pre-ticked checkboxes are not valid

Europe

On 1 October, the Court of Justice of the EU (“CJEU”) rendered its judgment (Case C‑673/17) in a case concerning cookie-based transparency and consent. This ruling will significantly impact the activities of EU web service providers and the process of accepting cookies, and will make using the Internet either more user friendly or more cumbersome.

What happened in this case?

To participate in a lottery organised by the defendant Planet49, an internet user had to click or unclick two checkboxes before he could participate. Ticking the first checkbox allowed users to be contacted by a range of firms with promotional offers, while the second checkbox required users to consent to cookies or data being installed on their computers. Participation in the lottery was only possible if the first checkbox was ticked. According to the applicant Bundesverband, the declarations of consent used by Planet49 did not satisfy the requirements of German law.

How is consent validly constituted under EU law (including the GDPR)?

The CJEU confirmed that storing cookies requires internet users' active consent: a pre-ticked box is therefore not valid (an opt-out is not an opt-in). Requiring a user to untick a box if (s)/he does not consent to the installation of cookies is not active consent. User consent may no longer be presumed.

Consent must also be unambiguous. Only active behaviour by the user to give his/her consent may fulfil that requirement.

Finally, consent must be specific in that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the users’ wishes for other purposes (e.g. a user clicking a button to participate in a promotional lottery does not constitute valid consent to the storage of cookies).

What are the practical steps you should take to comply with this new ruling?

  • Complete a cookie audit. Together with your IT department and/or website operator, check what cookies you use on your website and why you use them.

  • Assess whether you need to obtain consent for the cookies you use. If a cookie is not strictly necessary, you will need to obtain consent prior to installing each of the cookies.

  • If you need to obtain consent, decide on the solution for obtaining consent that will be the best for your circumstances.

  • Determine how you will notify users of your use of cookies when they land on your website.

  • Provide intelligible, unambiguous and sufficiently detailed information in your cookie policy to enable your users to easily determine the consequences of any consent he/she might give.

  • Your cookie policy must include information on:

    • who the controller is;

    • the types of cookie used;

    • the purposes of the cookie(s);

    • the functioning of the cookies;

    • whether or not third parties may have access to those cookies, in which case their identity should also be mentioned having regard to the specific circumstances under which the data is processed;

    • how users can accept all, some or no cookies and how they can change their preferences in the future; and

    • the duration of the use of cookies.

  • Determine the mechanism that you will implement to obtain users’ consent.

Does it make a difference if the stored information is personal data?

No. Cookie consent rules apply to all data, not only personal data. The CJEU made it clear that any such information is private and aims to protect the user from intrusion into his/her private life, regardless of whether that intrusion involves personal data or other information.

Will this ruling influence the debate about the ePrivacy Regulation?

The proposed ePrivacy Regulation (“ePR”) will complement the GDPR by incorporating some of its principles, updating the ePrivacy Directive and introducing legislation in all member states. Regarding cookies, the ePR aims to simplify the rules and make consent more “user friendly”, as detailed in the latest ePR proposal issued by the Finnish Presidency. The EU Council working group on TELE will now have to consider this ruling while preparing its proposal for the trilogue negotiations with the newly elected European Parliament.

For more information on this ruling, feel free to contact local CMS experts Thomas Dubuisson or Tom De Cordier, or your usual data protection contact at CMS.