The European Court of Justice (ECJ) has provided welcome clarity on the consent requirements around the use of cookies by website operators. As if it were ever in doubt, pre-ticked boxes cannot be used as a means of obtaining a website user’s consent to the use of cookies.
The clarity from the ECJ has come in the form of its ruling in the Planet49 case. Planet49 (a German company) organised promotional lotteries on its website. To enter, entrants had to provide certain personal details. The entry page also had two tick boxes which the entrant had to engage with. The first, which was not pre-ticked, had to be ticked to participate. Ticking the box gave consent to the entrant being contacted by various businesses about their offers. The second box, which was pre-ticked, gave consent for cookies to be placed on the entrant’s device. The second tick box did not need to be ticked to participate, but if the entrant did not wish to have cookies dropped, he had to untick the box.
The ECJ said that this approach was unlawful. Valid consent requires the user’s consent to be freely given, specific, informed and unambiguous. The ECJ said that if the box was pre-ticked, and the user did not engage with it in any way, then how could anyone determine if the user had given consent? They may not even have noticed the tick box. By contrast, by ticking the box, the user would have taken an active, measurable step to give consent.
This ruling isn’t exactly “hold the front page” news – it would have been far more surprising had the ECJ ruled otherwise. So why is it important, you may ask?
Since the introduction of the E-Privacy Directive 2002, consent has been required to drop non-essential cookies. These are cookies which are nice to have, such as analytics or advertising cookies, but are not essential to the operation of the website like a shopping cart cookie is (without a shopping cart cookie to remember what you’ve put in your basket, a website wouldn’t be able to sell you the things you want to buy.)
However, since the GDPR came into force in May 2018, we have had a new standard of consent to grapple with. Whilst the E-Privacy Directive sets out the obligation to obtain consent to the use of cookies, it is the GDPR which sets the standard of that consent, and many website operators have been in doubt as to exactly what that consent should look like. And rather than do anything about it, many have chosen to sit on the electronic fence (ouch) until further guidance was forthcoming. Or instead read: until someone found themselves on the wrong side of an ECJ ruling.
To the extent there was ever any doubt, the ECJ has now removed it. So the effect of this ECJ ruling is that website operators can no longer take the “wait and see” approach on their websites. We have waited and now we have seen, and it will be interesting to see how website operators respond and what steps they take to make their cookie consents compliant.
This means:
No more implied consent: This is the “By using this website, you consent to our use of cookies” approach. To be honest, there has never been any doubt that this falls well short of the GDPR standard of consent.
No more cookie consents and preference centres with pre-ticked boxes: Many websites now use third-party tools to manage the visitor’s choices when visiting a website and it is likely that the ECJ ruling will see even greater take up. These tools have an almost bewildering array of toggles allowing the visitor to opt in to different sorts of cookies. Some website operators have these toggles set to “ON”, others have them “OFF”, whilst still others have a mix of “ON” and “OFF”. According to the ECJ, these should all be “OFF” by default. However, there is some doubt as to whether all non-essential cookies should be treated the same – some functional and performance are perhaps less intrusive than advertising/tracking cookies, and the UK’s ICO has hinted in its own cookie guidance that first-party analytics cookies that present low levels of intrusiveness and risk to individuals may not be high up on its list of priorities.
If there’s one regret about the ECJ judgment, it is that it didn’t consider the lawfulness of cookie walls. This is where the website operator makes cookie consent a pre-requisite for access. It is difficult to see how consent can be freely given if it is compulsory, but it may be that there are circumstances where this might make sense. For example, in the case of a paid platform where cookie consent is given in lieu of payment for access. Clarity in this area is much needed, so it’s a shame the ECJ didn’t cover this. I suppose that’s the just way the cookie crumbles......