Websites: the European Court of Justice rules on consent for the installation of cookies
As a law firm, we have often dealt with the data protection issues of websites in general and the management of cookies in particular.
From a regulatory point of view, the difficulty lies in the fact that the current legislation, the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector) is being "updated" and has not been directly repealed by EU Regulation 2016/679 (hereinafter also GDPR). Therefore, the previous legislation and the GDPR have to coexist in regulating many aspects including the issue of cookies. From a technical point of view, cookies are rapidly and rapidly evolving and it is often difficult to identify the correct management from a regulatory point of view.
The Court of Justice has recently been called upon to rule on this issue.
The company Planet49 has organized a game with prizes on the website www.dein-macbook.de.
Internet users who wanted to participate in this game had to provide their postal code, which sent them back to a web page where they had to enter their name and address. Below the fields to be filled in for the address were two captions accompanied by checkboxes.
The first caption, whose respective box (hereinafter referred to as the "first check box") was not pre-selected, read as follows: ‘I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sectors. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here.’
The second caption, whose respective box (hereinafter referred to as 'the second check box') was preselected, read as follows: ‘I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, [Planet49], sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here.’
It was only possible to participate in the game after having checked at least the first checkbox.
The case was examined by the German Federal Court of Justice (Bundesgerichtshof), which referred the matter to the European Court of Justice to clarify whether, in the light of EU law, consent to the installation of cookies could be validly obtained in the manner described above, and what information should be provided to the user regarding the use of cookies in order for the consent given to be deemed to be "informed".
The EU Court's judgment
It should be recalled that the consent of the data subject is only one of the legal bases authorising the processing of personal data. In fact, however, it is the one most used on the Internet. Despite this, the requirements for consent to be considered valid have long been uncertain.
The EU legislation in force before the GDPR (i.e. Directive 95/46/EC) required that the data subject should express his or her consent to the processing of his or her data by means of a "free, specific and informed expression of his or her wishes". However, these requirements were interpreted differently in the different Member States. The entry into force of the GDPR also has the objective of strengthening and harmonising the rules on consent.
To this end, the definition of 'consent' currently provided in Article 4(11) of the GDPR specifies that, in addition to being free, specific and informed, consent must express the 'unambigous' wishes of the data subject, who agrees to the processing of his or her personal data.
This definition of consent also applies for the purposes of the ePrivacy Directive 2002/58/EC, i.e. the Directive that establishes the obligation to obtain the user's consent to the installation and use of cookies.
According to the EU Court, in particular, both under Directive 95/46/EC and the GDPR, consent must be given actively.
In this regard, a consent given by means of a pre-formulated declaration requiring the user to actively object if he/she does not consent to the processing of data shall not be considered valid.
On that point, the Court points out that it is practically impossible to determine objectively whether, by not unchecking a pre-selected box, the user of a website has actually given his consent to the processing of his personal data and, in any event, whether that consent has been given in an informed manner. Therefore, the consent to the use of cookies by means of a pre-selected checkbox, which the user must uncheck in order to deny his/her consent, is not to be considered validly expressed, regardless of whether or not the information stored or consulted by means of cookies constitutes personal data.
Furthermore, the Court considers that, at the time when he/she is required to give his/her consent to the use of cookies, the user must be informed, inter alia, of the duration of the cookies, as well as of whether or not certain third parties have access to the cookies themselves.
The considerations of the EU Court provide some firm ground on the subject of data protection and cookies, which is not always easy to apply. From what can be deduced from the Court's judgment, in fact, the practice, still quite common, of requesting the consent of users with pre-ticked checkboxes is definitively prohibited.
In addition, it has been understood that the information requirements relating to the use of cookies must be strengthened and integrated, among other things, also with regard to their retention period.
Finally, it should be noted that the Court has not ruled on the compliance with the GDPR of the practice of making access to a website subject to the user's consent to the processing of their personal data by cookies. Therefore, for the time being, the compatibility of so-called cookie walls with the GDPR remains uncertain, from the Court's point of view, as the Dutch supervisory authority has expressed its opposition.
We certainly recommend that website operators revise their cookie policy, bearing in mind that the revision work will probably have to be repeated again in the near future.