On October 1, 2019 the Court of Justice of the European Union (CJEU) issued a new judgment on the use of cookies which, under the EU E-Privacy Directive, requires users’ informed consent. The court decided that
-
the cookies consent cannot be obtained by using a pre-ticked consent checkbox; and
-
information must be provided to users which includes the duration of the operation of cookies and whether third parties may have access to the cookies.
Background
The case relates to a legal dispute between a German consumer protection organization and an organizer of online lotteries. The lottery organizer used various marketing cookies on its website for which it obtained the website users’ consent by way of a pre-checked checkbox that users could deselect if they did not wish to agree to such cookies. The consumer protection organization claimed that the way the cookies consent was obtained was not compliant with EU legislation.
In this context, the German Supreme Court submitted two questions to the CJEU. The first question pertains to the method of how cookies consent can be obtained. The second question seeks guidance on the scope of information that should be provided to website users.
CJEU’s Considerations
What type of consent?
The CJEU’s answer to the first question is straightforward. The CJEU concludes that consent must be active, informed and unambiguous (which is also in line with the definition of consent under the GDPR). The court then states that the use of a pre-ticked checkbox makes it impossible to ascertain whether a user has given consent in such manner. The court notes it is not inconceivable that a user might not have read the information accompanying the pre-selected checkbox, or might not have even noticed the checkbox.
Based on this, the CJEU concludes that consent will not be valid if provided by way of a pre-checked checkbox which the user must deselect to show he or she does not agree.
What information must be provided?
In relation to the second question, the CJEU concludes that information must be provided on the duration of the operation of cookies because a long or even unlimited duration could lead to the collection of a large amount of information on the user’s surfing behavior and how often they visit the websites.
In addition, information must also be given on whether or not third parties may have access to the information collected by the cookies, given that the relevant EU provisions expressly refer to information about the recipients or categories of recipients of the data.
Against this background, the CJEU concludes that the cookies information that a website operator must give to its users includes the duration of the operation of cookies and whether or not third parties may have access to the information collected by the cookies.
Conclusion
It is important to note that the CJEU’s decision was based on a company using marketing/tracking cookies and that under the E-Privacy Directive no consent is required where strictly necessary cookies are used (cookies necessary to “make the website work” or cookies used to provide services the user explicitly requests). However, in other instances where cookies are used, active, informed and unambiguous consent must be obtained which implies that a website user must carry out an active and confirmative action.
The use of a pre-checked checkbox which allows the user to refuse consent by way of deselection does not comply with these requirements. The use of a non-checked checkbox, on the other hand, should generally be sufficient. In addition, information must be given on the duration of the operation of cookies; and whether or not third parties may have access to the information collected by these cookies.
Outlook
The CJEU’s judgment is consistent with the increasingly stringent regulations regarding the use of cookies in several EU member states. The new e-Privacy Regulation will likely bring more clarification on this issue.