In the past months, European data protection supervisory authorities were pushing for opt-in consent as the standard model for using cookies that are not strictly technically necessary for the provision of a website, such as for purposes of ad retargeting, cross-website or cross-device tracking and possibly even tools for website analysis. In a landmark decision, the European Court of Justice (ECJ), being the highest judicial authority when it comes to interpreting EU laws, has now confirmed that opt-out procedures for many cookies and web beacons are not in compliance with EU legal requirements.
The precedent confirms the opinion taken by the authorities that passive user behaviour - for example continuing to use the website or clicking away cookie overlays without actively accepting cookies - does not constitute valid consent under the current cookie regulations. We answer the 7 most relevant questions on the ruling and what it means for websites providers that are based outside the EU but still fall within the international scope of EU data protection laws.
1. What was the case about?
In the case “Planet49” at the European Court of Justice (judgment of 1 October 2019, C-673/17), a German company offered its website visitors to participate in a promotional lottery for free. During the sign-up process, the participants were asked to allow ad cookies by means of a tickbox with the following description:
“‘I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, [Planet49], sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here.’“
This box was pre-checked, allowing the user to uncheck it and thereby refusing to consent to the placement of cookies on his or her device. Leaving that particular box ticked was also no condition for participation in the lottery. If the user followed the link underlying the word “here” at the very end of the notice, the user was directed to a privacy statement with additional information on the functionalities of cookies and instructions on how to erase the cookies and stopping further tracking of browsing activities in the future.
2. What are the requirements set out by the ECJ?
“consent [...] is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent”.
In the light of this finding, the key takeaway of the ruling is that the widespread practice of enabling cookies when the user accesses the website seems outdated, even if the website has a feature which allows users to change the settings and to disable cookies through a cookie banner. Placing cookies that are not strictly necessary for the provision of the website will only be considered lawful after the user has actively agreed to it.
The court also indicates guidance on the information that must be provided to the user when asking for his or her consent. Pursuant to the ePrivacy Directive, website providers must provide the user with “clear and comprehensive information” in accordance with the GDPR. Following the ECJ, this must also include information on “the duration of the operation of cookies and whether or not third parties may have access to those cookies”. Further information may be required under Art. 5(3) ePrivacy Directive and the GDPR.
3. Which cookies require such an opt-in procedure?
According to the EU ePrivacy Directive, the consent requirement does not apply to cookies being technically strictly necessary for the provision of an online service explicitly requested by the user. This exception particularly includes many first-party cookies, for example if they are necessary for an online shop basket checkout process or a video content streaming service that the user wants to access.
Cookies used for marketing purposes are likely not to be considered as strictly necessary for the provision of the website in many cases and thus require consent. The ECJ ruling concerns cookies contributing to ad networks. Consequently, the consent requirement will also apply for other cookies and web beacons for purposes of retargeting, collecting behavioral data for personal profiling and personalizing online ads, particularly including those being placed by third parties through pixel tags.
However, in the “Planet49” decision, the ECJ refrains from providing detailed guidance on how to draw the borderline. Whether or not web analysis tools such as Google Analytics require consent is still far from being crystal clear. As a rule of thumb, companies should rather go for consent where third-party vendors are involved and where the data collected are used for individual marketing instead of statistical analysis.
4. How is this all relevant for non-EU companies?
Good question! Companies without any establishments within the EU are likely not to be affected by the ePrivacy Directive. It must be kept in mind, however, that the Directive provides for specific rules prevailing over the GDPR only to the extent of its own scope of application. Reversely, this also means that the GDPR remains applicable where the ePrivacy Directive is not. And the GDPR has a wide international outreach, applying to any non-EU company that somehow targets the EU market in a very broad sense.
But what difference does it make whether the GDPR or the ePrivacy Directive applies to a non-EU company? The answer is twofold. On the one hand, from a legal pont of view, the GDPR offers more flexibility to argue about whether consent is required for certain cookies in the first place, since exceptions from the consent requirement are not limited to strictly necessary cookies as under the ePrivacy Directive. For example, German authorities think that, under the GDPR, some website analysis tools can be used without asking the users to consent, as the processing of personal data was justified by legitimate interests of website providers.
On the other hand, particularly with regard to cookies used for marketing purposes, it is likely that the less specific GDPR provisions will commonly be interpreted in line with the ePrivacy rules. In practice, the legal interpretation of the GDPR will be influenced by how the European Court of Justice understands the requirements of the ePrivacy Directive. Moreover, where consent is deemed to be required under the GDPR, the same conditions for obtaining valid consent as in the abovementioned case will have to be met.
Depending on which laws are applicable in an individual case, website providers that fail to comply with the ePrivacy Directive may be subject to administrative fines and legal actions by competitors or consumer protection agencies claiming injunctive relief.
5. What website architecture meets the requirements?
Website providers are strongly adviced to review which cookies are being used for their services and under which technical conditions they are placed on the user’s device. We wrote about using cookies before and explained the recommendations by the German and British supervisory authorities. Since the ECJ does not object to any of their findings but rather confirms their approach, they provide helpful instructions for designing opt-in models following a low-risk approach with regard to the EU's legal requirements. A comprehensive compliance assessment should also include a checkup whether the wording of the cookie and privacy policies needs to be adjusted in the light of the ruling.
6. How to recoup shrinking opportunities of monetizing user data?
Changing the processes of cookie placement and access according to the recommendations by the EU administrative bodies, at least for users visiting the website from the EU, may lead to the collection of significantly less data for ad purposes deriving from cookies. Content providers financing their services through third-party ads may think of cookie walls, allowing users to display the requested content only after he or she has consented to cookies, or paywalls for those users who refuse to give their consent ("consent-or-pay approach").
As we summarized recently, compliance of such user flow designs is a little blurry, considering the condition to obtain “freely given” consent without detriments under the GDPR and the ePrivacy Directive. Marketing networks such as Google AdSense leave their B2B customers with the burden of obtaining consent from their website visitors, however, the major AdTech players are striving for common industry standards for transparency and consent under the IAB Europe Framework.
7. Are there any other news ahead on cookie governance in the EU?
A reform of the ePrivacy Directive that governs cookie use in the EU is on the legislative track since 2017. The new law was initially planned to come into force simultaneously with the GDPR in 2018 but is still not endorsed and instead subject to political disputes within the institutions of the European Union. If adopted, it is likely to contain a transition period of two years until its coming into force.
What it will bring with regard to consent requirements for cookies may only be prophesied: The current stakeholder debates mostly address the same regulatory questions that have now been answered by the ECJ for the current state of legislation. The latest draft proposal for a compromise within the European Council seems to rather lower the requirements for using tracking technologies compared to the current situation, however, has been rejected by some EU member states. Observers expect no substantial political progress being made before mid-2020.