The ECJ recently provided a comprehensive guidance on various issues relating to cookies in its judgement C-673/17 (Verbraucherzentrale Bundesverband e.V. vs Planet49 GmbH).
The Core of the Decision
The following has been decided:
- Legal form of consent to Cookies: Consent to cookies deployment (according to the “Cookie Directive”, Art. 5 (3) Directive 2002/58/EC, as well as according to GDPR) requires an active, unambiguous expression of consent. Accordingly, pre-checked boxes are not sufficient to collect valid consent. Likewise, it is no longer arguable to consider “continued surfing” after displaying a cookie banner as declaration of consent.
- Application of the Cookie Directive regardless of processing personal data: The requirements of the Cookie Directive including the consent requirement apply regardless as to whether or not Cookie deployment relates to the processing of personal data or not. Also anonymous Cookie deployment and – data collection are subject to the ruling.
- Information about Cookies: Data Privacy or Cookie Policies must provide information on retention periods for cookies and third parties having access to cookie information.
Who is affected by the ECJ Ruling?
The ECJ decision is relevant for any website operator deploying cookies. Legal implications depend on types of cookies deployed on a website:
- You do not deploy Cookies? The decision does not contain new legal obligations for you.
- You deploy technically necessary Cookies only? You may continue to use Cookies without consent, but you must inform the users about cookie deployment and cookie data processing.
- You deploy technically necessary and other Cookies? You must ensure deploying technically necessary cookies only when a user accesses your website landing page. We recommend a restrictive assessment to determine technically necessary cookies. The data protection authorities in Germany e.g require consent to the deployment of Google Analytics and other tracking services. The user must first express consent before technically not strictly necessary cookies may be deployed. In this context, the user must also be adequately informed.
Recommendation for Action now and in the Future
We recommend checking your website to determine cookie deployment and verify whether you comply with the ECJ decision. We recommend further implementing of a cookie management tool for the technical implementation. Such cookie toolkit informs user and provides for choice and consent means in line with the ECJ decision.
The Cookie Directive as part of the ePrivacy Directive is likely to be replaced by the ePrivacy Regulation in 2020 or 2021. The ePrivacy regulation – like the GDPR – would be directly applicable in the EU Member States and could lead to yet another revision of the European cookie approach.