A pre-checked checkbox does not constitute consent which a website user must give for storage of and access to cookies on their equipment. Therefore companies need to change their current practice. This was the conclusion reached by the Court of Justice of the European Union in its judgment in Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH, published on 1 October 2019.
Storing cookies requires Active Consent
The main question for the Court was whether internet users need to actively consent to the storage of cookies on their device for the purpose of sending targeted advertising.
Conclusions of the Court
The first question referred for a preliminary ruling was whether the consent of website users given in the aforementioned form was sufficient. The answer is based on the provisions of Directives 2002/58/EC and 95/46/EC. These state that cookies may only be placed and used with the express consent of the internet user. If approval of cookies is pre-checked, it is objectively impossible to ascertain whether a visitor to the site has consented to the processing of their personal data without deliberately unchecking the box. It cannot be excluded that the user has not read or even noticed the additional information in the checkbox. The Court concluded that explicit consent can only be given by the subject by means of a proactive approach to expressing consent.
The second question concerns the information to be provided to website visitors. That is, whether it is necessary to include information about the duration of the cookies and third parties who have access to those cookies. Even though not all cookies process personal data, the Court found the General Data Protection Regulation (GDPR) must be applied to all such cases. It follows that the controller must be able to provide data subjects with information on how long the data will be stored, or what criteria will be taken into account to determine this period and include information on third parties who have access to those cookies.
Consequences for companies
These conclusions mean that companies that until now have used pre-checked checkboxes must change their current practice.
From the moment the decision came into force, companies must enable users to give their consent in a sufficiently informed manner. Users must understand the functioning of the cookies employed and the consequences of giving consent. An alternative must be the right to refuse.
The decision does not specify that service providers have to identify third parties by name. It will be sufficient to provide detailed information about recipients or categories of recipients of the data. Of course, information about the period for which the data will be stored or, if this is not possible, the criteria used to determine that period, must also be provided specifically.
Nothing is over yet
So far, the ECJ has actively protected the rights of internet users, especially, their privacy, as can also be seen in this decision. However, more clarity can soon be expected. A new European Union regulation on protection of privacy in the electronic environment should be adopted in the near future (the so-called E-Privacy Regulation), replacing the previous Directive 2002/58/E, which was last updated in 2009.
Significant emphasis is placed on issues related to consent to data processing. The new regulation refers to the GDPR, which requires that the consent of the data subject has to be obvious, demonstrable and unambiguous.
Moreover, in addition to data subjects’ right to withdraw their consent to data processing at any time, data subjects will have to be reminded of this possibility at least every six months. This obligation will continue for as long as processing of the particular data takes place.