Important recent development with respect to the use of tracking cookies for analytics and marketing purposes on websites, further to a judgment of the European Court of Justice (ECJ) in the “Planet49” case on 1 October 2019 (case C-673/17).
Admissible practice prior to the ECJ “Planet49” judgment
Cookies are small text files that are placed on users’ devices to collect information for various purposes, such as to remember a user’s preference, to tailor shown ads and to enable website operators to analyse traffic)
Directive 2002/58/EC, as implemented in national laws of the EU Member States, governs the use of cookies and was due to be replaced by a new ePrivacy Regulation alongside the introduction of the GDPR on 25 May 2018 (ePrivacy Directive). Under the ePrivacy Directive, the placement of cookies can only be based on consent, with the notable exception of “strictly necessary” cookies.
However, no consent pursuant to the requirements of the GDPR (which must be freely given, specific, informed and unambiguous, and must result from a clear affirmative action by the user to be valid) was obtained, as consent was inferred from the silence or the implied conduct of the user (such as the further use of the website), as long as the user was informed about the use of cookies through the use of a cookie banner and a reference to a data protection notice.
Cookies were thus often installed at the time of first access to a website. Such cookies would then immediately start collecting personal data and other information.
Typical cookie banners would read “By pursuing your navigation on the website or closing this message, you agree to our use cookies in accordance with our privacy policy” or “If you continue using our website, we will assume that you are happy to receive all cookies on this website in accordance with our cookies policy”.
Why was such practice largely considered permissible?
Prior to the introduction of the GDPR, it was widely accepted that consent could be obtained through the use of a cookie banner, simply referring users to a cookie or privacy policy and informing users that continuing to use the website implies their consent to the setting of cookies.
Post GDPR, the legal situation in relation to cookies became somewhat unclear because of the fact that the ePrivacy Directive was not replaced yet.
Despite this potential uncertainty, the above practice was still considered acceptable post GDPR by a large number of EU data protection authorities. Indeed, the consent under the ePrivacy Directive was considered different and more easy to obtain than consent under the GDPR, as the implementation of the ePrivacy Directive in the various EU member states does not refer to GDPR-standard consent.
Dissenting views
The European Data Protection Board (EDPB) issued a written opinion in March 2019 addressing the interplay between the ePrivacy Directive and the GDPR. Although not specifically addressed in the EDPB’s opinion, some suggested that the EDPB’s opinion was to be interpreted as meaning that all references to “consent” in the ePrivacy Directive means consent as defined by the GDPR.
In their guidance notes issued in July 2019, the French and UK data protection authorities (the CNIL and ICO) clearly stated (i) that it is the GDPR standard of consent that must be obtained before placing cookies on users’ devices and
(ii) that users must take a clear and positive action to give their consent to cookies (and continuing to use a website does not constitute such as valid consent).
It is worth noting that, on certain aspects, such guidance documents go further than the current draft of the new ePrivacy Regulation (dd. 4 October 2019) which is due to replace the existing ePrivacy Directive (e.g. the current draft permits operators to place first or third party cookies on users’ devices without consent for “audience measuring”, i.e. to analyse traffic passing through their websites for the purpose of optimising the service).
The ECJ “Planet49” judgment of 1 October 2019
The ECJ ruled in its “Planet49” judgment that the GDPR-standard consent also applies to the setting of cookies under the ePrivacy Directive, thereby following the interpretation of the CNIL and the ICO.
Therefore, an active and informed consent is required for placing cookies and profiling technologies including advertising cookies (but not for strictly necessary cookies). Pre-ticked boxes, for example, are not a valid mean to obtain consent.
In addition, the ECJ confirmed that it does not matter whether personal data are collected through the cookies and that consent must be obtained even when the placement of cookies does not involve the processing of personal data.
The ECJ also ruled that the controller should inform users of the lifespan of each cookie and on any third parties access to information collected through such cookies, prior to obtaining their consent.
Practical implications and recommendations
While the ICO and CNIL’s guidance and the ECJ’s “Planet49” judgment may be subject to criticism, it is likely the requirement of a GDPR-standard consent will be confirmed by the future ePrivacy Regulation (with a number of exceptions for certain types of cookies).
Accordingly, a prudent approach would consist in reviewing as soon as possible existing cookies practices, including the manner in which user consent is obtained, along with existing cookie banners, cookies information notices and consent management.