GDPR-grade consent required by the ECJ for the use of analytics and marketing tracking cookies

Important recent development with respect to the use of tracking cookies for analytics and marketing purposes on websites, further to a judgment of the European Court of Justice (ECJ) in the “Planet49” case on 1 October 2019 (case C-673/17).

Admissible practice prior to the ECJ “Planet49” judgment

Cookies are small text files that are placed on users’ devices to collect information for various purposes, such as to remember a user’s preference, to tailor shown ads and to enable website operators to analyse traffic)

Directive 2002/58/EC, as implemented in national laws of the EU Member States, governs the use of cookies and was due to be replaced by a new ePrivacy Regulation alongside the introduction of the GDPR on 25 May 2018 (ePrivacy Directive). Under the ePrivacy Directive, the placement of cookies can only be based on consent, with the notable exception of “strictly necessary” cookies.

However, no consent pursuant to the requirements of the GDPR (which must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action by the user to be valid) was obtained, as consent was inferred from the silence or the implied conduct of the user (such as the further use of the website), as long as the user was informed about the use of cookies through the use of a cookie banner and a reference to a data protection notice.

Cookies were thus often installed at the time of first access to a website. Such cookies would then immediately start collecting personal data and other information.

Typical cookie banners would read “By pursuing your navigation on the website or closing this message, you agree to our use cookies in accordance with our privacy policy” or “If you continue using our website, we will assume that you are happy to receive all cookies on this website in accordance with our cookies policy”.

Why was such practice largely considered permissible?

Prior to the introduction of the GDPR, it was widely accepted that consent could be obtained through the use of a cookie banner, simply referring users to a cookie or privacy policy and informing users that continuing to use the website implies their consent to the setting of cookies.

Post GDPR, the legal situation in relation to cookies became somewhat unclear because of the fact that the ePrivacy Directive was not replaced yet.

Despite this potential uncertainty, the above practice was still considered acceptable post GDPR by a large number of EU data protection authorities. Indeed, the consent under the ePrivacy Directive was considered different and more easy to obtain than consent under the GDPR, as the implementation of the ePrivacy Directive in the various EU member states does not refer to GDPR-standard consent.

Dissenting views

The European Data Protection Board (EDPB) issued a written opinion in March 2019 addressing the interplay between the ePrivacy Directive and the GDPR. Although not specifically addressed in the EDPB’s opinion, some suggested that the EDPB’s opinion was to be interpreted as meaning that all references to “consent” in the ePrivacy Directive means consent as defined by the GDPR.

In their guidance notes issued in July 2019, the French and UK data protection authorities (the CNIL and ICO) clearly stated (i) that it is the GDPR standard of consent that must be obtained before placing cookies on users’ devices and
(ii) that users must take a clear and positive action to give their consent to cookies (and continuing to use a website does not constitute such as valid consent).

It is worth noting that, on certain aspects, such guidance documents go further than the current draft of the new ePrivacy Regulation (dd. 4 October 2019) which is due to replace the existing ePrivacy Directive (e.g. the current draft permits operators to place first or third party cookies on users’ devices without consent for “audience measuring”, i.e. to analyse traffic passing through their websites for the purpose of optimising the service).

The ECJ “Planet49” judgment of 1 October 2019

The ECJ ruled in its “Planet49” judgment that the GDPR-standard consent also applies to the setting of cookies under the ePrivacy Directive, thereby following the interpretation of the CNIL and the ICO.

Therefore, an active and informed consent is required for placing cookies and profiling technologies including advertising cookies (but not for strictly necessary cookies). Pre-ticked boxes, for example, are not a valid mean to obtain consent.

In addition, the ECJ confirmed that it does not matter whether personal data are collected through the cookies and that consent must be obtained even when the placement of cookies does not involve the processing of personal data.

The ECJ also ruled that the controller should inform users of the lifespan of each cookie and on any third parties access to information collected through such cookies, prior to obtaining their consent.

Practical implications and recommendations

While the ICO and CNIL’s guidance and the ECJ’s “Planet49” judgment may be subject to criticism, it is likely the requirement of a GDPR-standard consent will be confirmed by the future ePrivacy Regulation (with a number of exceptions for certain types of cookies).

Accordingly, a prudent approach would consist in reviewing as soon as possible existing cookies practices, including the manner in which user consent is obtained, along with existing cookie banners, cookies information notices and consent management.

New Belgian law to govern contractual relationships between companies

Recently, the Belgian parliament adopted the Law of 4 April 2019 modifying the Belgian Code of Economic Law (“CEL”) by (i) prohibiting certain unfair, misleading and/or aggressive market practices in a B2B context, (ii) introducing a greylist and a blacklist of clauses in B2B contracts and (iii) expanding the scope of Belgian competition law to also cover abuses of economic dependence. The purpose of the legislator was to strengthen the negotiating position of smaller companies in their vertical relationships with larger companies. The Law of 4 April 2019 will however apply to all contractual B2B relationships.

(i) Misleading and/or aggressive market practices
Entry into force: 1 September 2019

Law of 4 April 2019 copies the already existing provisions in B2C contracts, and now explicitly prohibits the following practices between companies:
– misleading market practices
– aggressive market practices
– all market practices which would encourage an infringement of the CEL.

(ii) Blacklisted and greylisted clauses
Entry into force: 1 December 2020

In addition to misleading and aggressive market practices, the Law of 4 April 2019 introduces the following:
– a general unfairness test, which prohibits contractual clauses creating an obvious (legal) imbalance between the parties (not extended to essential terms of the contract);
– a blacklist, containing the following 4 clauses which will always be prohibited:
o A clause providing that party A is irrevocably bound, while the obligations of party B are subject to a condition at this party’s discretion;
o A clause granting a party the unilateral right to interpret any clause of the contract;
o A clause which, in case of a dispute, leads the other party to waive any legal recourse;
o A clause which provides, irrefutably, that a party has had knowledge of provisions which it could not actually have knowledge of before entering into the contract.
– A greylist of clauses which will be considered prohibited unless (i) it does not create an obvious imbalance, or (ii) such clause was truly desired and knowingly adopted by the parties. These clauses include, a.o., unilateral modification clauses, clauses limiting means of evidence, excessive damage clauses, etc.

For reasons of legal certainty and legitimate expectations, the provisions regarding B2B-clauses will only apply to B2B contracts which are established, renewed or modified after 1 December 2020. Therefore, the black- and greylisted clauses will not be applicable to already existing contracts, unless they are renewed or amended.

(iii) Abuse of economic dependence
Entry into force: 1 June 2020

The legislator has also created an additional category of restrictive competition practices, besides restrictive agreements and the abuse of a dominant position. Businesses will now also be prohibited from abusing a position of economic dependence of another business, by which competition on the Belgian market concerned can be affected (for example: the refusal of a sale).

Importantly, the maximum fine that the Belgian Competition Authority can impose has also been increased. The cap has been increased to 10% of the worldwide turnover of the undertaking involved. This could significantly increase fines in Belgium, given that, to date, fines were capped at 10% of Belgian turnover (including exports), which was favourable for international undertakings.

September 2019 – UBO registry

More than 5 years after the introduction of the UBO registry by the Fourth Money Laundering Directive (EU 2015/849) or “MLD4”, 2 years after the adoption of the coresponding Belgian Money Laundering Act and after two consecutive postponements of the effective date, all Belgian corporate entities and other Belgian legal entities will be obliged to identify their UBOs and upload the required information in the Belgian UBO-Register by 30 September 2019.

While the information obligations of the UBO apply directly to companies and legal entities, it should be noted that the company’s directors may be held liable up to considerable amounts.

Please note while listed companies are excluded to identify their UBO’s in accordance with a recently updated FAQ of the Belgian administration, this exclusion importantly does not apply to daughter companies which are directly or indirectly held by such listed companies with less than 100% of the total shareholding.

Our firm is advising on all UBO matters, and also acts as a representative for companies in timely obtaining all UBO related information, identifying the UBO’s, completing the register as proxyholder and keeping it regularily updated.