Top European Court Rules Pre-Checked Cookie Consent Boxes Invalid
Under the ePrivacy Directive, in conjunction with the GDPR, the use of nonessential cookies (e.g., advertising and analytics) requires an affirmative, opt-in consent.
Pre-ticked check boxes and other defaults that do not provide a freely given, specific, informed, and unambiguous indication of the data subject’s wishes to have cookies placed on his or her devices are not permitted.
Organizations must also provide clear and comprehensive information for a user to understand the consequences of his or her consent, including the duration of the operation of cookies and whether third parties will have access to the cookies.
On October 1, 2019, the Court of Justice of the European Union (CJEU) ruled that active consent is required for a website to store cookies on user devices. In particular, the CJEU ruled that a pre-checked check box that users must actively deselect is not a valid form of consent. Importantly, the CJEU specifically stated that consent is required for all types of cookies, not only for cookies that contained personal data. However, the CJEU did not address whether its ruling applies to both essential (e.g., required for the website to provide the services) and nonessential cookies or if it should apply solely to advertising cookies (examples of nonessential cookies are provided below). It also did not directly address other forms of consent, such as through the use of cookie banners. As a result of this ruling, organizations that are subject to the General Data Protection Regulation (GDPR) should review their existing cookie consent processes and policies to ensure that data subjects are provided comprehensive and sufficiently detailed information with which to make an informed consent regarding cookies as well as an opportunity to provide affirmative, opt-in consent prior to storing cookies on their devices.
Overview of the Ruling
Planet49 is an online gaming company that hosted a promotional lottery on its website in September 2013. To sign up for the promotional lottery, internet users could access the website and enter their names and addresses via an online form. The form contained two boxes for consent from the data subject:
The first check box requested the data subject’s permission to give sponsors and cooperation partners consent to provide the user with information about their businesses. This check box was unchecked by default, and the data subject actively had to select the box to indicate his or her consent.
Users were required to check the first check box giving sponsors consent to provide the user with information about their organizations in order to submit their information and enter the lottery, but were not required to take any action on the second check box regarding cookies in order to submit an entry. The German Federal Court of Justice requested that the CJEU provide guidance on whether the use of a pre-ticked box to consent to the reading or writing of cookies was valid under the European Union ePrivacy Directive, read in conjunction with the consent requirements of the Data Protection Directive (DPD) and the GDPR, and whether it made any difference if the information stored or accessed in the cookies constituted personal data.
The Court's Analysis
The CJEU analyzed whether providing the pre-checked check box to users that sign up to enter the promotional lottery while still requiring the data subject to manually check the other box for disclosing information to sponsors was enough to provide valid consent from the users to store cookies on their devices.
Major Findings of the CJEU
The ePrivacy Directive, read in conjunction with either the DPD (now repealed by GDPR) or the GDPR, prohibits the use of pre-checked boxes and requires an affirmative, opt-in consent before writing nonessential cookies
Active, opt-in consent is required for cookies under the ePrivacy Directive regardless of whether the information in the cookies is considered personal data or not. Pre-checked boxes do not meet the requirement, even if there is some other affirmative action required.
The ePrivacy Directive, read in conjunction with either the DPD or the GDPR, requires that a website operator provide the duration that the cookies will operate and an indication of the third parties that may read the cookies.
CJEU Finding #1: The ePrivacy Directive, read in conjunction with either the DPD or the GDPR, prohibits the use of pre-checked boxes and requires an affirmative, opt-in consent before writing nonessential cookies.
The CJEU also analyzed the requirements for consent under the GDPR, stating that it was appropriate to consider the applicability under the GDPR as well as the DPD because the GDPR would be applicable ratione temporis (with the passage of time) to the case because the GDPR replaced the DPD and explicitly stated that references to the DPD in the ePrivacy Directive are to be construed as references to the GDPR. The CJEU recognized that the GDPR’s definition of “consent” is even more stringent than that of the DPD, and requires that consent be a “freely given, specific, informed, and unambiguous” indication of the data subject’s wishes in the form of a “clear affirmative action” signifying his or her consent. The CJEU further noted that Recital 32 of the GDPR provides explicit guidance in this regard, stating that while consent could include ticking a box on a website, “silence, pre-ticked boxes or inactivity” does not constitute consent. Thus, the CJEU held that active consent is explicitly required under the GDPR and, when read in conjunction with the ePrivacy Directive, such consent for cookies is not validly given through the use of pre-checked check boxes that a user must deselect in order to refuse his or her consent.
CJEU Finding #2: Active, opt-in consent is required for cookies under the ePrivacy Directive regardless of whether the information in the cookies is considered personal data or not.
The CJEU next turned to the question of whether active consent is required when the information stored in the cookies is not considered personal data within the meaning of the DPD or the GDPR. The CJEU determined that it did not, noting that the ePrivacy Directive simply refers to consent being required prior to the “storing of information” or the “gaining access to information already stored” without limiting the requirement for consent to information considered personal data. Instead, the CJEU noted that the intent of the consent requirement in the ePrivacy Directive was to protect the user from interference into his or her “private sphere,” i.e., the risks posed by hidden identifiers and similar devices placed on the user’s devices without the user’s knowledge, and not just the privacy of the user’s personal data. Accordingly, the CJEU held that the consent requirements are not to be interpreted differently according to whether or not the information in the cookies is considered personal data or not.
CJEU Finding #3: The ePrivacy Directive, read in conjunction with either the DPD or the GDPR, requires that a website operator provide the duration that the cookies will operate and an indication of the third parties that may read the cookies.
Finally, the CJEU determined whether the ePrivacy Directive required the website operator to provide a duration of operation of its cookies or an indication of any third parties that may have access to the cookies to obtain proper informed consent. The CJEU noted that the ePrivacy Directive requires that users be provided with clear and comprehensive information in accordance with the DPD about the purposes of the processing, and this requires that the user be in a position to easily determine the consequences of any consent he/she may give. In the context of cookies, this information must be comprehensive and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies. Both the DPD and the GDPR provide a list of information that must be provided to a user before personal data is collected or otherwise processed. In the DPD, the controller is required to provide “any further information… in so far as such further information is necessary… to guarantee fair processing with respect to the data subject.” Although the duration of the processing is not explicitly stated in the DPD, the use of the language “at least” indicates that the types of information required to be provided is not listed exhaustively in the DPD. The CJEU found that a disclosure of the duration of the operation of the cookies is required for fair processing, especially given that, in this case, a long, or unlimited, duration of the cookies could mean collecting a large amount of information on the user’s surfing activities being provided to Planet49’s advertising partners.
The GDPR also has an explicit requirement that controllers must, in order to ensure fair and transparent processing, provide information relating to the period in which personal data will be stored (or the criteria used to determine that period). Accordingly, the CJEU found that the duration of the operation of the cookies and whether or not third parties will have access to those cookies is required to meet notice requirements of the ePrivacy Directive when read in conjunction with the DPD or the GDPR. Thus, the CJEU further held that both the GDPR and the DPD require that data subjects be provided notice of the recipients or categories of recipients of personal data and therefore require that users be provided with notice that third parties may have access to cookies.
Valid Consent Requirements
Under the CJEU’s ruling, organizations that are subject to the GDPR may obtain valid consent from users indicating that they will accept cookies on their devices only if they actively provide their consent. For example, organizations may obtain such consent by providing users with an option requiring them to select an unchecked check box. When presenting the option, the organization must provide users with the purposes for using the cookies, including information about the length of time that the cookies will be active and an indication of whether information gathered from the cookies will be shared with any third parties and, if the information will be shared, the categories of third parties with which the data is shared.
Impact to Business
The ePrivacy Directive does not require consent for “essential” cookies, i.e., cookies used for the sole purpose of carrying out the transmission of a communication and cookies that are strictly necessary in order for the website provider to provide the required services. However, the ePrivacy Directive requires consent, and therefore the CJEU’s ruling applies to a wide range of commonly used, nonessential cookies, such as:
User input cookies, for the duration of a session
Authentication cookies, for the duration of a session
User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
Multimedia content player session cookies, such as flash player cookies, for the duration of a session
Load balancing session cookies, for the duration of a session
Overall, organizations that provide services in Europe must take a proactive approach in addressing this ruling by the CJEU to avoid breaching the regulations under the GDPR and the ePrivacy Directive. It is also unlikely that the long ongoing efforts in the EU to adopt the ePrivacy Regulations will materially change or nullify this ruling by the CJEU. Organizations should review any pre-checked cookie consents they may have and consider removing any pre-checked check boxes they use to obtain consent to store cookies on a user device. They should also ensure that any banners they use to obtain consent to store cookies provide the required amount of information and require an active acceptance from the user.