Out-Law News 2 min. read
04 Oct 2019, 9:09 am
The Court of Justice of the EU (CJEU) ruled that consent "is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent".
According to the court, reliance on pre-ticked boxes does not fulfil the requirements for obtaining consent to the use of 'cookies' under EU law, even if internet users are able to de-select the box and opt out or withdraw their consent at a later date.
The court said the standard of consent applies regardless of whether the cookies used store or access personal data.
Cookies are small text files placed on an internet user's device. They are generated by a web page server, which is basically the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user's device interacts with the site.
Websites use cookies mainly because they save time and make the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users' web surfing habits and profile them for marketing purposes.
EU e-Privacy law requires website operators and other information society service providers to obtain internet users' consent to the use of cookies, other than those that are strictly necessary cookies, and to provide users with information about how to manage and delete cookies.
In its ruling, the CJEU further confirmed that website operators must provide their users with information concerning the duration of the operation of cookies and whether or not third parties may have access to those cookies to meet their disclosure obligations under e-Privacy law.
Technology law expert Dr. Alexander Bayer of Pinsent Masons, the law firm behind Out-Law, said the CJEU's ruling is in line with consent rules that apply to advertising communications in the EU, which requires consent to be obtained on an opt-in basis.
The ruling further "emphasises the protection of internet users’ privacy, in particular against the intrusion of hidden identifiers or similar code into computer/mobile devices", he said.
Bayer said: "The ruling is clear that businesses are required to duly inform users, upfront, about the functions and functional life of the cookie, in addition to whether or not third parties may have access to the data collected through the cookie, in order to gain valid consent from them through an active 'click'. Any pre-set checkbox won’t do the trick."
"You don’t need to look into a crystal ball to see that the principles established in this ruling will be read across in similar constellation in other cases where businesses seek to gain access and use data from consumers, not just through cookies," he said.
In recent months both the UK's Information Commissioner's Office (ICO) and France's Commission Nationale de l’Informatique et des Libertiés (CNIL) have issued fresh guidance on the application of rules on consent to cookies.
Data protection law expert Claire Edwards of Pinsent Masons said in July that while the new guidance might require businesses to revisit their consent mechanisms, potentially at great financial cost and at the risk of losing access to important data, only to have to revise them again in the not-too-distant future with the prospect of new e-Privacy laws affecting cookies in the pipeline.
Plans to replace the existing e-Privacy Directive with a new e-Privacy Regulation were first outlined in 2017, but, while MEPs agreed the European Parliament's negotiating position on the reforms in October 2017, the reforms have been delayed due to disagreements within the Council of Ministers between EU member state governments over the new standards that should apply.
New proposals designed to break the impasse were outlined by the Finnish presidency of the Council in mid-September.