Please note: the legal situation has changed since this article was published. Some of the information may be outdated.
Questions and Answers on the use of cookies and other technologies in view of the judgement of the European Court of Justice of 1 October 2019 “Planet49” (case docket number C-673/17):
How to implement cookie consent correctly?
According to the ruling, clear, active and informed consent is necessary. This requires an opt-in with clear information on the data processed. The previous opt-out solutions (e.g. with the option of logging out or in the style “you agree to the use of the website with cookies”) are clearly not permissible any longer.
Are classic cookie banners now pointless?
Yes, the widespread types of banners represent opt-out solutions. These are inadmissible. The consent must be given by a clear and active statement, implicit “statements” are insufficient.
May we have suppose acceptance when surfing the site or use a timer for the approval? How to give consent?
(Question and Answer added on 27.11.2019.)
Consent is a declaration of intent and can only be given through positive action. Silence implies no statement In concrete terms, this means that statements such as “By visiting this site, you agree to…”, “If you do not object, we assume that you agree” or similar statements as well as automatic confirmations by timers do not constitute consent.
May the declarations be prefilled (e.g. check mark already set)?
The judgment is refreshingly clear on this point. The user must actively choose a cookie. It remains to be seen, however, whether this may be done in a bundled form for entire groups of cookies.
Specifically, the requirement of active action is clearly described in paragraphs 52 and following, in which the European Court of Justice states:
…the requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive, behaviour. However, consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user.
Since an active consent needs to be given “without any doubt” (according to the wording of the law which the court also quotes in para. 54), the court concludes that consent would be practically impossible to be established if not given through active action (as in para. 55). This also means: pre-selected checkboxes are not sufficient.
On the other hand, the court did not have to deal with the question of whether bundled consent may be given for several topics. An extreme case of such bundling could for example look like this: “We would like to set cookies for retrieval statistics on the one hand, and a Google cookie for personalised advertising on the other, which can also reidentify you on other websites.”. Can such a sentence, combined with one button each for consent and rejection, represent an effective consent? The judgment provides no answer. An indication may result from the stringent requirements the court describes regarding the transparency of the presentation and information of the data subjects. Combining several topics into one statement makes it difficult for the users to recognize and understand the planned activities. Consequently, cautious activities and retention of expert advice in individual cases are therefore advisable.
In principle, a skilful, UX-driven and user-centric design on the one hand, and a presentation slightly nudging the user towards consent on the other had seem to be possible in individual cases. However, it must comply with the legal requirements, in particular it should focus on the user and must ask for clear, informed and active consent.
Who is affected?
Almost everyone who runs a website, offers web apps or carries out similar activities. And the verdict goes even further than cookies. The underlying Directive 2002/58/EC is often referred to as the Cookie Directive—in line with its most prominent field of applicability. However, its correct title is “Directive on privacy and electronic communications”, short for “ePrivacy” Directive. The provision that is also relevant for cookies (Art. 5 para. 3) generally refers to “information stored in the terminal equipment of a subscriber or user”.
What if we do not process personal data?
The requirement applicable to cookies do not originate from the Data Protection Basic Regulation (DSGVO) exlusively; the cookie banner discusion is triggered by a rule of the so-called ePrivacy Directive. This directive regulates data protection in connection with telecommunications services and user devices. It does not depend on whether data is personalthe regulation also applies to other data. A—relatively narrow—exception applies to technically necessary processes (see next question).
Are there any exceptions? What about cookies necessary to providing the service?
Technical ‘storage’ or ‘access’ shall not be restricted if they are, in my own wording, ‘strictly necessary’ to provide the service. Common examples of this are cookies that store a session, for example for login functionality, as well as for storing the shopping basket (the period during which the cookie is kept is under discussion, though) and the like. On this page, for example, we use automated recognition of the language version. In order for this to function reliably—i.e. to prevent a relapse to the language after manual switching—it may be necessary to re-identify the user for a short time. We use a session cookie for this purpose. Here we assume that this processing is “absolutely necessary”. For this exception to apply, it is thoroughly important that the processing takes place solely for this purpose and not for other purposes, otherwise the service provider will lose credibility. Session cookies may also be required for logins, as there is no possibility of recognizing the user as logged in without storing such an identification feature. The same applies to the contents of the shopping basket in an online shop.
In contrast, analytics services will usually not be necessary for the operation of the service. In consequence, consent will probably be required for them.
In general, one assessment should be based on the following: in case of doubt, assume that a certain activity is not necessary for service provision and obtain consent. Within the notable grey area, a significant risk of invalidity is given.
Can consent be given for multiple cookies at once?
As the court could leave this question unanswered in the judgment (as the consent’s was already invalid from a structural perspective) , the situation is still unclear. In any case, “consents” concerning very different categories of data (e.g. the storage of sensitive personal data “coupled” with the consent to the storage of the colour preference for the presentation of the website) can be considered to be problematic.
Can I use other technologies instead of cookies, such as profiling?
No, that’s not recommended. On the one hand, the e-Privacy Directive does not specifically refer to cookies; it rather is technologically neutral. On the other hand, profiling can also pose difficulties with regard to GDPR. It should therefore not be used without specific legal advice in individual cases.
What do I need to explain to users?
The judgment also contains remarkably clear rules on what information users should receive. It requires all the information necessary to understand the storage, namely:
- The relevant cookies
- Your content (if not visible) and target (e.g. marketing, statistics)
- How data processing works
- Information on storage duration
- Whether the content is shared with third parties (and, if so, with whom/what categories of recipients)
If personal data is processed, all information required by the DSGVO must also be provided!
Why now? What do all the different laws have to do with each other?
A verdict on such a matter was a long time coming anyway. The reason for the decision is an activity still under the old legal situation, but in view of the development over time the courts have fortunately found a way to also make a statement with validity under GDPR. The e-Privacy Directive should actually have been replaced by a new law at the same time as the GDPR was introduced, but this second regulation “got stuck” in the political process. In this respect, we have two sets of laws with a systematic misfit. I do not know when the new e-Privacy regulation is to be expected as a follow-up law.
Do we not have an applicable German exception?
For a long time German lawyers used § 15 Abs. 3 German Code on Telemedia (Telemediengesetz, TMG) to justify a deviation from the broader European understanding. However, as the ruling of the ECJ makes clear, this interpretation does not conform to European law. Therefore, as of now, we can expect German courts to interpret the German law in the light of the requirements of the ECJ and come to similar conclusions as the ones mentioned above.
May consent be coupled with other consent?
This remains unclear. It was irrelevant in the present case and was therefore not decided.
Disclaimer: This text presents a simplified overview of the topic. It neither constitutes legal advice nor does it replace such advice.