No Consent, No Cookie! CJEU Issues Far-Reaching Decision on Cookie Consent

In its long-awaited judgment, the European Court of Justice (CJEU) decided the data protection requirements for obtaining consent when using cookies. The court held that “passive” acceptance of cookies through prechecked boxes, or by posting a banner and assuming consent with continued browsing of the website, is not an acceptable form of consent. According to the CJEU, “consent” requires active behavior in the form of interaction with the banner, or some other affirmative action indicating consent. The court held that website operators must ensure this level of consent prior to placing any cookies that require consent for storing or accessing information stored on the user’s device. The court’s decision removes all legal ambiguities on the level of consent required for cookies, and website operators are wise to review their use of cookies as a result.

This alert will analyze the CJEU’s decision, provide a summary of the current regulators’ views and give practical guidance on what website operators should do.

What Happened?

The CJEU decision is based on a case brought by the German Consumer Association against Planet49 GmbH (Planet49).  Planet49 hosted a lottery on its website. To play the lottery, participants were required to enter their name and address. Beneath the input fields for the address were two sets of checkboxes. The first box was not pre-ticked and was meant to provide consent for the participant to be contacted by sponsors about commercial offers. The second box was pre-ticked and was meant to provide consent for cookies to be placed on the participant’s device for the purposes of targeted ads. The German Supreme Court (Bundesgerichtshof) asked the CJEU for a preliminary ruling on the legality of this “opt-out” system for cookie consent.

The Court’s Decision

The CJEU ruled that website operators may only obtain consent for cookies through active behavior. An opt-out solution that requires the user to untick a box to object to the storage of cookies does not meet the criteria for consent. Instead, users must place a checkmark themselves to agree to the use of cookies.

In addition, the court found that the consent must be specific to the proposed use. Therefore, the fact that a user clicked the button to participate in a promotional lottery was not sufficient to also indicate consent for cookie storage. The court also held that the user must be informed about the duration of cookies and whether third parties can gain access to the cookies. With its decision, the court has made clear that the cookie consent requirement applies in scenarios – even where the data are not personal data.

The court’s reasons

The court had to interpret the requirements concerning the type of consent required under the ePrivacy Directive (2002/58/EC) and did so by applying the consent standards of the General Data Protection Regulation (GDPR). Since the GDPR undisputedly requires active and explicit consent, the court found the opt-out system used by Planet49 was unlawful. The CJEU also referred to recital 32 of the GDPR, which states that ticking a box is a valid way for a user to provide consent.

Relevant Data Protection Authorities’ (DPA) Guidelines

The court’s ruling is not surprising. It continues the effort to broadly protect internet users. It consistently implements the requirement of consent across the GDPR and the ePrivacy Directive. And it confirms much of what the DPAs already considered to be the correct approach.

However, existing DPA guidelines deviate slightly from the court’s ruling – in particular, the guidelines of the German Datenschutzkonferenz (DSK) (a joint committee of the state data protection authorities and the Federal Data Protection Commissioner in Germany), the British Information Commissioner’s Office (ICO) and the French data protection authority (CNIL).

All three guidelines have in common that they already contain the requirement of consent when it comes to cookies. And they all outline certain requirements on obtaining lawful consent. Pursuant to Art. 4 No. 11 and Art. 7 GDPR, consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes:

  • This requires that the user must be provided with sufficient and comprehensible information regarding the use of cookies on the website. In the case the website operator does not provide sufficient and comprehensible information, the users’ consent could be deemed invalid.
  • According to recital 43 GDPR, consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations. Thus, the users must be provided with the choice of the cookies to which they would like to consent.
  • In addition, Art. 4 No. 11 GDPR requires consent through a statement or by a clear, affirmative action by the data subject that signifies agreement to the processing of personal data relating to him or her. Placing a checkmark or clicking on a button can be an affirmative action in this regard. Any opt-out procedure, however, does not suffice in this regard.
  • Until there is an active opt-in by the visitor, all processing operations that require consent must be blocked.
  • The affected individuals must be able to withdraw their consent. Withdrawing consent must be possible and as easy as consenting in the first place.

The three guidelines, however, do not explicitly state that consent is also necessary where non-personal data are collected. This is not surprising since without personal data there are no data protection related issues. As the CJEU has made clear, however, the ePrivacy Directive in this context does not differentiate between personal and non-personal data.

Furthermore, the CNIL does not require consent concerning all types of analytics cookies. According to the CNIL’s guidance, certain analytics tools, such as those for audience measurement, may be exempt from consent if the criteria of the guidelines are met. This exception, however, may not be consistent with the judgment of the court and will most likely be amended by the CNIL. In contrast to this, the ICO has confirmed that consent is required for all analytic cookies and there is no exception to this rule. Though the ICO does state that it is “unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals,” and first-party analytics cookies are given as an example of cookies that are potentially low risk.

Another difference between the three is regarding the legality of so-called “cookie walls”. A cookie wall requires users to accept the setting of cookies before they can access website content. While the German DPAs and the CNIL consider “cookie walls” to be non-compliant with GDPR, the ICO merely notes that consent that is forced by a cookie wall is “unlikely to be valid”. However, the ICO also notes that GDPR must be balanced against other rights, including freedom of expression and freedom to conduct business.

The CJEU’s judgment does not bring clarity to this issue because the court did not take a position on it. Against the background of the comprehensive protection provided by the GDPR and its interpretation by the CJEU, however, one can anticipate that cookie walls may also face challenge. Website operators, therefore, should carefully consider whether and how to implement cookie walls.

Next Steps for Website Operators

Many operators will need to revisit their current cookie practices and, in many cases, update their consent mechanisms. According to the above-listed guidelines and the CJEU’s judgment, the most practical way of lawfully obtaining the users’ consent would be by implementing a cookie banner on the website. When doing so, operators should consider the following steps.

  • Provide an overview of all processing operations requiring consent. One option may be to include a drop-down menu naming the providers involved and their specific roles and functions. The visitor should be able to decide which providers might set cookies. The selection must not be activated by default.
  • Provide information on the duration of the operation of cookies and whether third parties may have access to those cookies.
  • While the banner is being displayed, block scripts on the website potentially collecting user data. However, access to the imprint and the privacy policy should not be prevented by the cookie banner.
  • Have users provide consent through an affirmative action, such as placing a checkmark or clicking on a button and using an opt-in system. Using a button solution, be clear that the user agrees to the use of cookies. Avoid combining the button with a consent to a non-cookie related subject, such as participation in a lottery or other services. Without this consent, consider employing technical measures designed to ensure that data processing activities requiring consent do not take place.
  • To fulfill accountability requirements, consider identifying the user to remember his or her choice regarding the use of cookies. This can be done by indirect identification.
  • Since the user has the right to withdraw his or her consent at any time pursuant to Art. 7 (3) GDPR, implement the ability to withdraw consent.

The implementation of a lawful opt-in system through a cookie banner does not necessary lead to a two click system where users first must select which cookies they want to accept and after that press an “ok” button. A one-click solution still seems possible by using a drown-down menu.

Critical evaluation

The CJEU’s decision will have a major impact on both internet users and website operators. The CJEU’s decision likely will lead to more intrusive banners, longer disclosures, and deeper user engagement with click throughs. This will mean an enormous effort for website operators to adapt their cookie policies accordingly. Whether this expenditure seems justified is questionable and, in the meantime, surfing the internet will certainly become more cumbersome for internet users.