Cookies – small text files that a website provider stores on the user’s computer – are everywhere on the internet. Cookies allow information to be used to facilitate navigation or to analyse the user’s behaviour. There are myriad types of cookies and many cookies require the user’s consent.
The Court of Justice of the European Union (CJEU) recently clarified the requirements for consent to cookies. Nonetheless, lively discussions continue, with many website providers yet to implement a privacy-compliant consent mechanism.
The CJEU’s cookie judgment
- a pre-checked checkbox does not constitute valid consent as such consent requires the user’s active, and not passive, behaviour;
- this applies irrespective of whether the information stored and accessed via cookies is personal data; and
- the website provider must inform the user of the duration of the operation of cookies and whether third parties may have access to those cookies.
The judgment makes clear that:
- ‘non-essential cookies’ may not be installed when users start their browsing of a website;
- website operators must provide cookie management options alongside clear and comprehensive information; and
- users must be able to easily withdraw their consent.
A blurred legal situation
The CJEU focused on the process of obtaining consent and did not specify when cookies can be used without the user’s consent. In certain cases, such as when cookies are ‘strictly necessary’ for the service explicitly requested by the user, the ePrivacy Directive allows for exception.
However, determining which cookies are ‘strictly necessary’ is not easy and subject to debate, even among the national European data protection authorities (DPAs). For instance, there seems to be little consensus over the conditions under which tracking cookies may be served. German DPAs hold that such cookies always require prior consent, but other DPAs’ views appear to be less definitive.