Cookies – small text files that a website provider stores on the user’s computer – are everywhere on the internet. Cookies allow information to be used to facilitate navigation or to analyse the user’s behaviour. There are myriad types of cookies and many cookies require the user’s consent.
The Court of Justice of the European Union (CJEU) recently clarified the requirements for consent to cookies. Nonetheless, lively discussions continue, with many website providers yet to implement a privacy-compliant consent mechanism.
The CJEU’s cookie judgment
The Planet49 dispute concerned a lottery organised for advertising purposes. Users willing to participate filled out a form with their contact details. Consent to the use of cookies was given via a pre-ticked checkbox, which users had to deselect if they did not agree. In its judgment of 1 October 2019, the CJEU ruled that:
- a pre-checked checkbox does not constitute valid consent as such consent requires the user’s active, and not passive, behaviour;
- this applies irrespective of whether the information stored and accessed via cookies is personal data; and
- the website provider must inform the user of the duration of the operation of cookies and whether third parties may have access to those cookies.
The judgment makes clear that:
- ‘non-essential cookies’ may not be installed when users start their browsing of a website;
- website operators must provide cookie management options alongside clear and comprehensive information; and
- users must be able to easily withdraw their consent.
The Planet49 case clarified that cookie banners with the well-known ‘by continuing to use our website you agree to our use of cookies’ do not obtain valid consent. Yet, this wording is still commonly used widely. Indeed, the situation is not as clear as it may initially appear.
A blurred legal situation
The CJEU focused on the process of obtaining consent and did not specify when cookies can be used without the user’s consent. In certain cases, such as when cookies are ‘strictly necessary’ for the service explicitly requested by the user, the ePrivacy Directive allows for exception.
However, determining which cookies are ‘strictly necessary’ is not easy and subject to debate, even among the national European data protection authorities (DPAs). For instance, there seems to be little consensus over the conditions under which tracking cookies may be served. German DPAs hold that such cookies always require prior consent, but other DPAs’ views appear to be less definitive.
In any case, one thing is clear: every company or individual that uses cookies on their website should critically review their cookie consent mechanisms, not least since failure to comply with privacy requirements can lead to high fines under the GDPR.