The European Court of Justice has followed the requests of the Advocate General with its decision (Judgement of 01.10.2019, no. C-673/17) on the consent to the setting of cookies and demands a clear active consent by the user, so that a preset check box is not sufficient. This is hardly surprising in view of the European legal situation (see recital 32, p. 3 GDPR). It is noteworthy, however, that ePrivacy law requires consent to cookies regardless of whether personal data or “only” other data is processed. In addition, the ECJ places high demands on the information that website operators must provide about cookies.
1. Background
Planet49 organized a lottery for advertising purposes and used two checkboxed information texts for the entry form. The first checkbox contained an advertising consent, which each participant had to actively agree to by ticking a box. The second checkbox was pre-ticked. It provided for the setting of cookies, which were to enable Planet49 to evaluate the surfing and usage behaviour on websites of advertising partners and thus interest-focused advertising through a web analysis service. An information text accessible via a link explained the individual cookies and how they work.
The Federal Association of Consumer Advice Centers (qualifying under Sec. 4 UKlaG) warned against this procedure and filed – partly successfully – a lawsuit before the Regional Court of Frankfurt am Main. The Frankfurt Higher Regional Court dismissed the appeal in its entirety. The Federal Court of Justice, on further appeal, had doubts as to whether the consent obtained by means of the second checkbox is effective and what information a service provider has to provide to the user – in particular whether the duration of the cookies and the possibility of access to the cookies by third parties are also relevant. He referred these questions to the ECJ.
2. Decision of the ECJ
The ECJ initially ruled that the so-called “Cookie Directive” (i.e. Art. 5 para. 3 of the EU ePrivacy Directive) applies regardless of whether or not personal data are processed using cookies. The Court also clarified that the same requirements apply to consent under the Cookie Directive as under the GDPR. Consent must therefore be given actively and unambiguously. A default checkbox is not sufficiently unique. The setting of cookies must therefore not be permitted by a preset checkbox, which the user must deselect in order to refuse his consent.
On the second question, the ECJ ruled that website operators must provide users of their website with information on the duration of the cookies and whether third parties can gain access to the cookies. The ECJ bases this, inter alia, on the fact that the user must be able to give his consent in full knowledge of the facts.
Despite the six-year-old case, the ECJ clarified that the ruling also relates to the GDPR in force since the end of May 2018.
3. Decision does not apply to technically necessary cookies
Consent must only be given in the required active, unambiguous manner, if consent is required at all. According to the “Cookie Directive”, cookies require consent unless they are strictly necessary for the provision of the website or the performance of specific functions of the website. Not strictly necessary in this sense are advertising/marketing cookies and performance cookies. In contrast, however, there are also cookies that are necessary for the proper functioning of the website. This applies, for example, to session cookies, which help to remember a shopping basket during a browser session. Such necessary cookies still do not require consent.
However, it is not always clear which cookies can be classified as “necessary”. If a shopping basket cookie is stored beyond the browser session to prevent the content of the basket from being lost when the user closes the browser window and then returns later, one can doubt the necessity for example. The website operator bears the risk of an incorrect assessment of the necessity of cookies.
In any case, the ECJ ruling makes it clear that according to the Cookie Directive it is irrelevant whether personal data is collected at all or, for example, only anonymous access statistics. The user must also actively and unambiguously consent to cookies which only collect anonymous data, unless they are technically necessary.
4. Requirements for Consent and its Consequences
As the ECJ has clarified, the user must actively and without default set a check mark to accept the unnecessary cookies. In accordance with the ruling of the European Court of Justice, the user must be fully informed about the type of cookies (purpose, storage period, access possibility for third parties, function duration). At the same time it follows from the requirement of consent “without any doubt” that it is not sufficient for the user to continue surfing on the respective website. In this case, no cookies may be set, since the further surfing represents an active action in itself, but cannot be interpreted sufficiently clearly as consent with regard to the setting of cookies. Website operators must therefore ensure that the continuation of surfing does not result in cookies being set which are not necessary.
5. Claim for Website use Without Cookies?
The ECJ does not expressly address the question of whether the user must also be given the opportunity to use a website without cookies. This idea is sometimes claimed to be inherent to the requirement of voluntary consent. Voluntariness presupposes absence of coercion. Such a coercion, so the argument goes, could lie in withholding the use of a website if certain cookies are not accepted.
However, a claim to cookie-free websites should be rejected. The requirement of consent “without any coercion” is primarily aimed at cases in which there is a clear imbalance between user and operator or in which the fulfilment of contracts is linked to consent. Both is not the case when simply using a website. In addition, the user has no claim to the use of a specific website or to the availability of a specific content. After all, the user can already achieve cookie-free surfing today by making appropraite settings in her browser, but must then accept technical restrictions.
6. Recommendation for Action for Website Operators
Following the ECJ ruling, website operators should no longer, as has been the case in Germany to date, assess cookies solely in accordance with the GDPR and rely on an opt-out procedure on the basis of legitimate interests. According to the Cookie Directive – and very likely also according to the ePrivacy Regulation currently expected for 2020 – consent is required for non-essential cookies. In addition, it is now made clear that the mere further surfing by the user after having been presented with a cookie banner cannot constitute consent. Finally, the information on cookies in the data protection declarations must be checked and, if necessary, missing information on storage duration and third-party access must be added.
This gives rise to the following options for website operators to set cookies in compliance with data protection law:
- Getting unambiguous consent: If you wish to continue using cookie-based web analysis or advertising, you should obtain clear permission to do so. A lay-over solution is recommended. When visiting the website, a window or banner immediately lays itself over the actual content, which informs the user about cookies in accordance with ECJ case law and gives her the opportunity to reject non-essential cookies and only continue with the necessary ones. At the same time, the user could be given the opportunity to continue completely without cookies, however this will be associated with the problems mentioned below.
- Abstain from using non-essential cookies: The more radical way is the complete elimination of non-essential cookies. At first glance, this is also more user friendly, as overlays and consents can be dispensed with. Whether not using cookies is technically feasible at all depends on the content of the page and the functions that shall be offered. It should be noted that the “Cookie Directive” does not explicitly refer to cookies, but also applies to alternative techniques that store information in the user’s device by other means (e.g. DOM storage). Apart from any technical hurdles in the creation of the website, the operator may lose essential information about the duration of the use of the website and the behaviour of the users. Any revenues from tracking-based advertising would also be a thing of the past.