Overview
|
On October 1, 2019, the Court of Justice of the European Union (CJEU) ruled that active consent is required for a website to store cookies on user devices. In particular, the CJEU ruled that a pre-checked check box that users must actively deselect is not a valid form of consent. Importantly, the CJEU specifically stated that consent is required for all types of cookies, not only for cookies that contained personal data. However, the CJEU did not address whether its ruling applies to both essential (e.g., required for the website to provide the services) and nonessential cookies or if it should apply solely to advertising cookies (examples of nonessential cookies are provided below). It also did not directly address other forms of consent, such as through the use of cookie banners. As a result of this ruling, organizations that are subject to the General Data Protection Regulation (GDPR) should review their existing cookie consent processes and policies to ensure that data subjects are provided comprehensive and sufficiently detailed information with which to make an informed consent regarding cookies as well as an opportunity to provide affirmative, opt-in consent prior to storing cookies on their devices.
Overview of the Ruling
Background
Planet49 is an online gaming company that hosted a promotional lottery on its website in September 2013. To sign up for the promotional lottery, internet users could access the website and enter their names and addresses via an online form. The form contained two boxes for consent from the data subject:
- The first check box requested the data subject’s permission to give sponsors and cooperation partners consent to provide the user with information about their businesses. This check box was unchecked by default, and the data subject actively had to select the box to indicate his or her consent.
- The second check box requested the data subject’s consent for the use of cookies that may allow Planet49 and other websites to track the data subject’s browsing activity across websites and to provide tracking data to advertising partners. This check box was automatically checked by default and the data subject had to actively deselect the box to opt out of this use of his or her information.
Users were required to check the first check box giving sponsors consent to provide the user with information about their organizations in order to submit their information and enter the lottery, but were not required to take any action on the second check box regarding cookies in order to submit an entry. The German Federal Court of Justice requested that the CJEU provide guidance on whether the use of a pre-ticked box to consent to the reading or writing of cookies was valid under the European Union ePrivacy Directive, read in conjunction with the consent requirements of the Data Protection Directive (DPD) and the GDPR, and whether it made any difference if the information stored or accessed in the cookies constituted personal data.
The Court’s Analysis
The CJEU analyzed whether providing the pre-checked check box to users that sign up to enter the promotional lottery while still requiring the data subject to manually check the other box for disclosing information to sponsors was enough to provide valid consent from the users to store cookies on their devices.
Major Findings of the CJEU 1. The ePrivacy Directive, read in conjunction with either the DPD (now repealed by GDPR) or the GDPR, prohibits the use of pre-checked boxes and requires an affirmative, opt-in consent before writing nonessential cookies 2. Active, opt-in consent is required for cookies under the ePrivacy Directive regardless of whether the information in the cookies is considered personal data or not. Pre-checked boxes do not meet the requirement, even if there is some other affirmative action required. 3. The ePrivacy Directive, read in conjunction with either the DPD or the GDPR, requires that a website operator provide the duration that the cookies will operate and an indication of the third parties that may read the cookies. |
CJEU Finding #1: The ePrivacy Directive, read in conjunction with either the DPD or the GDPR, prohibits the use of pre-checked boxes and requires an affirmative, opt-in consent before writing nonessential cookies.
The CJEU noted that, under the ePrivacy Directive, the user of a website must provide consent to the operator of a website before it is permitted to place or read cookies on the user’s device. The ePrivacy Directive states that the term “consent” should have the same meaning as the data subject’s consent specified in the DPD. The DPD defines consent as a freely given, specific, and informed indication of the data subject’s wishes. Accordingly, the CJEU determined that the requirement of an “indication” of the data subject’s wishes suggested an active, rather than passive, behavior, and that this active behavior is not required, and therefore consent is not valid, through the use of a pre-checked box. The CJEU also noted that the DPD also requires that consent be given “unambiguously,” and that only active behavior by the data subject could fulfill that requirement, as it would be impossible in practice to objectively determine whether a website user had actually given informed consent by simply not deselecting a pre-checked check box; it is not inconceivable that the user would not have read the information alongside the pre-checked check box or may not have noticed the check box altogether. Accordingly, the CJEU found that it is not sufficient to be considered informed consent just because a user had to select one of the check boxes, consenting to the disclosure to sponsors, in order to continue to form a valid consent for the use of cookies. The user must actively select each applicable check box for which the data subject wishes to provide consent in order for such consent to be deemed unambiguous.
The CJEU also analyzed the requirements for consent under the GDPR, stating that it was appropriate to consider the applicability under the GDPR as well as the DPD because the GDPR would be applicable ratione temporis (with the passage of time) to the case because the GDPR replaced the DPD and explicitly stated that references to the DPD in the ePrivacy Directive are to be construed as references to the GDPR. The CJEU recognized that the GDPR’s definition of “consent” is even more stringent than that of the DPD, and requires that consent be a “freely given, specific, informed, and unambiguous” indication of the data subject’s wishes in the form of a “clear affirmative action” signifying his or her consent. The CJEU further noted that Recital 32 of the GDPR provides explicit guidance in this regard, stating that while consent could include ticking a box on a website, “silence, pre-ticked boxes or inactivity” does not constitute consent. Thus, the CJEU held that active consent is explicitly required under the GDPR and, when read in conjunction with the ePrivacy Directive, such consent for cookies is not validly given through the use of pre-checked check boxes that a user must deselect in order to refuse his or her consent.
CJEU Finding #2: Active, opt-in consent is required for cookies under the ePrivacy Directive regardless of whether the information in the cookies is considered personal data or not.
The CJEU next turned to the question of whether active consent is required when the information stored in the cookies is not considered personal data within the meaning of the DPD or the GDPR. The CJEU determined that it did not, noting that the ePrivacy Directive simply refers to consent being required prior to the “storing of information” or the “gaining access to information already stored” without limiting the requirement for consent to information considered personal data. Instead, the CJEU noted that the intent of the consent requirement in the ePrivacy Directive was to protect the user from interference into his or her “private sphere,” i.e., the risks posed by hidden identifiers and similar devices placed on the user’s devices without the user’s knowledge, and not just the privacy of the user’s personal data. Accordingly, the CJEU held that the consent requirements are not to be interpreted differently according to whether or not the information in the cookies is considered personal data or not.
CJEU Finding #3: The ePrivacy Directive, read in conjunction with either the DPD or the GDPR, requires that a website operator provide the duration that the cookies will operate and an indication of the third parties that may read the cookies.
Finally, the CJEU determined whether the ePrivacy Directive required the website operator to provide a duration of operation of its cookies or an indication of any third parties that may have access to the cookies to obtain proper informed consent. The CJEU noted that the ePrivacy Directive requires that users be provided with clear and comprehensive information in accordance with the DPD about the purposes of the processing, and this requires that the user be in a position to easily determine the consequences of any consent he/she may give. In the context of cookies, this information must be comprehensive and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies. Both the DPD and the GDPR provide a list of information that must be provided to a user before personal data is collected or otherwise processed. In the DPD, the controller is required to provide “any further information… in so far as such further information is necessary… to guarantee fair processing with respect to the data subject.” Although the duration of the processing is not explicitly stated in the DPD, the use of the language “at least” indicates that the types of information required to be provided is not listed exhaustively in the DPD. The CJEU found that a disclosure of the duration of the operation of the cookies is required for fair processing, especially given that, in this case, a long, or unlimited, duration of the cookies could mean collecting a large amount of information on the user’s surfing activities being provided to Planet49’s advertising partners.
The GDPR also has an explicit requirement that controllers must, in order to ensure fair and transparent processing, provide information relating to the period in which personal data will be stored (or the criteria used to determine that period). Accordingly, the CJEU found that the duration of the operation of the cookies and whether or not third parties will have access to those cookies is required to meet notice requirements of the ePrivacy Directive when read in conjunction with the DPD or the GDPR. Thus, the CJEU further held that both the GDPR and the DPD require that data subjects be provided notice of the recipients or categories of recipients of personal data and therefore require that users be provided with notice that third parties may have access to cookies.
Valid Consent Requirements
Under the CJEU’s ruling, organizations that are subject to the GDPR may obtain valid consent from users indicating that they will accept cookies on their devices only if they actively provide their consent. For example, organizations may obtain such consent by providing users with an option requiring them to select an unchecked check box. When presenting the option, the organization must provide users with the purposes for using the cookies, including information about the length of time that the cookies will be active and an indication of whether information gathered from the cookies will be shared with any third parties and, if the information will be shared, the categories of third parties with which the data is shared.
Impact to Business
The ePrivacy Directive does not require consent for “essential” cookies, i.e., cookies used for the sole purpose of carrying out the transmission of a communication and cookies that are strictly necessary in order for the website provider to provide the required services. However, the ePrivacy Directive requires consent, and therefore the CJEU’s ruling applies to a wide range of commonly used, nonessential cookies, such as:
- User input cookies, for the duration of a session
- Authentication cookies, for the duration of a session
- User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
- Multimedia content player session cookies, such as flash player cookies, for the duration of a session
- Load balancing session cookies, for the duration of a session
- User interface customization cookies, for a browser session or a few hours, unless additional information in a prominent location is provided (e.g., “uses cookies” written next to the customization feature
Businesses that are subject to the GDPR should review their process for obtaining opt-in consent for the use of nonessential cookies. A full disclosure of the use of cookies should be provided to consumers, including the third parties that provide the cookies or can otherwise use them, as well as the duration that each cookie is valid for.
If data subjects can opt in to the use of cookies through check boxes, sliders, or similar mechanisms, businesses should ensure that the data subject must take an active step to do so.
However, it is unclear what the CJEU’s decision means for the use of cookie consent banners where no individual option is provided. For example, the CJEU ruling may mean that only providing a single “ACCEPT” button for consenting to cookies may no longer be recognized as a valid form of consent from the individual. This may especially be true for websites that use a banner that remains on the user interface until “ACCEPT” is checked, when little or no obvious way of removing the banner without accepting the use of cookies is apparent to the user. In such cases, data subjects could argue that this is similar to a pre-checked box in that the only way to effectively continue on the website is through accepting the use of cookies. Data subjects may also argue that this is neither freely given nor an unambiguous indication of the data subject’s wishes because what he or she really wished was to use the website without interference from a banner.
The biggest impact may be felt by businesses that are subject to the GDPR, where their business involves targeted advertising space or is reliant upon revenue obtained from targeted advertising on their websites. Under the ruling, users are required to give their active consent for organizations to store cookies on their computer if the cookies track their movements across the internet, enabling third parties, such as ad-tech companies, to provide the users with targeted advertisements. While some browsers already permit users to prohibit the use of third party tracking cookies on their devices, it remains to be seen how the active consent requirement will impact the number of users that are tracked on the browsers that still allow it and ultimately the revenue related to advertising technology. Many users may not believe that targeted advertising is a benefit to them and may not be willing to go through the hassle of actively opting in to the use of cookies for targeted advertising. This may be even more acute for analytics cookies, where users perceive even less benefit to make it worth their additional efforts to opt in to the use of those cookies.
Overall, organizations that provide services in Europe must take a proactive approach in addressing this ruling by the CJEU to avoid breaching the regulations under the GDPR and the ePrivacy Directive. It is also unlikely that the long ongoing efforts in the EU to adopt the ePrivacy Regulations will materially change or nullify this ruling by the CJEU. Organizations should review any pre-checked cookie consents they may have and consider removing any pre-checked check boxes they use to obtain consent to store cookies on a user device. They should also ensure that any banners they use to obtain consent to store cookies provide the required amount of information and require an active acceptance from the user.
This Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. We continue to monitor developments concerning privacy and cybersecurity both in the U.S. and abroad. If you have questions about this update or would like to discuss this topic further, please contact your Foley attorney or any of the following:
Additional Cybersecurity Team Members
James Kalyvas, Partner and Practice Co-Chair |
Eileen Ridley, Partner and Practice Co-Chair |
Chanley Howell, Partner Jacksonville 904.359.8745 |
Michael Overly, Partner Los Angeles |
Jennifer Rathburn, Partner Milwaukee |
Peter Vogel, Of Counsel |
Jennifer Hennessy, Senior Counsel Madison |
Edward Block, Associate Austin |
Thomas Chisena, Associate Boston |
Samuel Goldstick, Associate Chicago |