In a judgment dated 1 October 2019, the European Court of Justice has ruled that the authorisation of cookies presupposes an active action on the part of the users. Default marked checkboxes are therefore not allowed. Furthermore, website administrators must also provide information about any recipients or categories of recipients (if relevant) and the lifespan of the cookies.
On the basis of the e-Privacy Directive of 12 July 2002, which has also been transposed into Belgian law, the general rule is that the placing of cookies requires the consent of users. However, some cookies are exempt from this requirement. Regardless of whether or not consent is required, website operators must also inform users about the placement of cookies.
In a recent judgment of 1 October 2019 ( C-673/17, Planet49 GmbH ), the Court of Justice ruled further on (i) the requirements for a legally valid authorisation of cookies and (ii) the information to be provided about cookies.
In this case, a German company had organised an advertising lottery on a website, allowing users to agree to cookies showing personalised advertisements based on surfing behaviour. This consent was requested via a checkbox that was selected by default and that users had to uncheck if they wanted to withhold their consent.
The Court of Justice ruled that permission for cookies cannot be obtained legally by a default ticked box. This consent must meet the same requirements as under data protection legislation, which means, among other things, that it must be an active action. A pre-ticked checkbox does not meet this requirement.
According to the Court of Justice, the above applies all the more so under the General Data Protection Regulation (“GDPR”). After all, the GDPR expressly prescribes that consent must be active. This is not the only requirement for a legally valid consent, as the consent must be not only unambiguous (and therefore active), but also free, specific and informed.
The Court of Justice has further specified that for the validity of the consent for cookies, it does not matter whether or not the information stored contains personal data. Even if this is not the case, the authorisation of cookies requires an active action. The purpose of the consent requirement is to protect users from all possible interference with their private lives, whether or not that interference relates to personal data.
According to the Court of Justice, the information provided must allow users to know the exact consequences of their consent. This means that users must be informed not only about, for example, the identity of the controller and the purposes of the cookies, but also about:
- the recipients or categories of recipients of the data, if this is necessary to ensure fair processing towards the users;
- the length of time cookies have been active, given that a long or even unlimited period of time can result in a large amount of information being collected about the surfing behaviour of users.
At European level, an e-Privacy Regulation is currently under preparation, which will replace the current e-Privacy Directive and may amend the existing legal framework on cookies in future. We will certainly follow this up for you.
Action point
Check which cookies you use on your website and whether you have received GDPR-compliant permission to do so (if required). Also check whether you provide sufficiently accurate information about the cookies (e.g. in a cookie notice), including information about any recipients or categories of recipients and the lifespan of the cookies.