Important recent development with respect to the use of tracking cookies for analytics and marketing purposes on websites, further to a judgment of the European Court of Justice (ECJ) in the “Planet49” case on 1 October 2019 (case C-673/17).
Admissible practice prior to the ECJ “Planet49” judgment
Cookies are small text files that are placed on users’ devices to collect information for various purposes, such as to remember a user’s preference, to tailor shown ads and to enable website operators to analyse traffic)
Cookies were thus often installed at the time of first access to a website. Such cookies would then immediately start collecting personal data and other information.
Why was such practice largely considered permissible?
Post GDPR, the legal situation in relation to cookies became somewhat unclear because of the fact that the ePrivacy Directive was not replaced yet.
Despite this potential uncertainty, the above practice was still considered acceptable post GDPR by a large number of EU data protection authorities. Indeed, the consent under the ePrivacy Directive was considered different and more easy to obtain than consent under the GDPR, as the implementation of the ePrivacy Directive in the various EU member states does not refer to GDPR-standard consent.
The European Data Protection Board (EDPB) issued a written opinion in March 2019 addressing the interplay between the ePrivacy Directive and the GDPR. Although not specifically addressed in the EDPB’s opinion, some suggested that the EDPB’s opinion was to be interpreted as meaning that all references to “consent” in the ePrivacy Directive means consent as defined by the GDPR.
In their guidance notes issued in July 2019, the French and UK data protection authorities (the CNIL and ICO) clearly stated (i) that it is the GDPR standard of consent that must be obtained before placing cookies on users’ devices and
(ii) that users must take a clear and positive action to give their consent to cookies (and continuing to use a website does not constitute such as valid consent).
It is worth noting that, on certain aspects, such guidance documents go further than the current draft of the new ePrivacy Regulation (dd. 4 October 2019) which is due to replace the existing ePrivacy Directive (e.g. the current draft permits operators to place first or third party cookies on users’ devices without consent for “audience measuring”, i.e. to analyse traffic passing through their websites for the purpose of optimising the service).
The ECJ “Planet49” judgment of 1 October 2019
The ECJ ruled in its “Planet49” judgment that the GDPR-standard consent also applies to the setting of cookies under the ePrivacy Directive, thereby following the interpretation of the CNIL and the ICO.
Therefore, an active and informed consent is required for placing cookies and profiling technologies including advertising cookies (but not for strictly necessary cookies). Pre-ticked boxes, for example, are not a valid mean to obtain consent.
In addition, the ECJ confirmed that it does not matter whether personal data are collected through the cookies and that consent must be obtained even when the placement of cookies does not involve the processing of personal data.
The ECJ also ruled that the controller should inform users of the lifespan of each cookie and on any third parties access to information collected through such cookies, prior to obtaining their consent.
Practical implications and recommendations
While the ICO and CNIL’s guidance and the ECJ’s “Planet49” judgment may be subject to criticism, it is likely the requirement of a GDPR-standard consent will be confirmed by the future ePrivacy Regulation (with a number of exceptions for certain types of cookies).
Accordingly, a prudent approach would consist in reviewing as soon as possible existing cookies practices, including the manner in which user consent is obtained, along with existing cookie banners, cookies information notices and consent management.