08 Oct 2019
On the 1
st of October 2019, the Court of Justice of the European Union (CJEU) issued a decision on the cookie consent requirements. This decision came following a request made by the Federal Court of justice in Germany to the CJEU for a preliminary ruling on how to get a valid cookie consent under the
ePrivacy Directive and the General Data Protection Regulation (GDPR).
In particular, the case concerned the participation in an online lottery which required from the users to enter their personal information, such as names and addresses, and give their consent for two different purposes, that is receiving marketing material and approving the installation of cookies on their devices. The form to be filled out by the users, included two checkboxes. However, the first one for marketing purposes was not ticked while the second one for the installation of cookies was already ticked and thus the user had to uncheck it in order to not give his/her consent.
The German Court remitted this case to the CJEU to further evaluate whether the consent obtained for the cookies was valid given that the checkbox was pre-ticked. The CJEU was also asked whether the Controller needs to provide users with information about the duration of the operation of the cookies and the access of third parties to them.
The CJEU considered the Article 5(3) of ePrivacy Directive according to which the users must have “given his or her consent” to the storage of and access to cookies on their devices. The Court noted that although the way in which the consent must be given is not defined, action is needed by the users in order to give their consent. In addition, it took into account the article 2(h) of Data Protection Directive (95/46/EC) that refers to the data subject’s consent as “
any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” According to the Court, “
indication clearly points to active, rather than passive, behavior.” This is also confirmed by the GDPR where “
active consent is now expressly laid down in Regulation 2016/679.”
The Court’s judgment also mentioned that the consent requirements are applicable not only to the personal information but also to any information that would have privacy implications regardless of whether it is personal data within the meaning of Article 4(1) of the GDPR. Moreover, the Court said that the Controller must provide the users with the necessary information about the duration of operation of the Cookies and if third parties have access to them.
In conclusion, a valid consent for storing cookies on the user’s device requires his/her active behavior which includes ticking the non pre-ticked checkbox. Before giving his/her consent, it is also important that the user must be provided with the necessary information about Cookies. In this context, websites must update their mechanisms in order to meet these requirements.