The CJEU sheds more light on trackers and consent requirements

, ,

Written by Karolina Matuszewska

Published November 18, 2019

This year, the Court of Justice of the European Union (CJEU) has issued two crucial rulings on consent requirements regarding cookie compliance, under General Data Protection Regulation (GDPR), ePrivacy Directive 2002/58/EC (ePrivacy Directive also known as Cookie Directive) and Directive 95/46/EC (Data Protection Directive). They highlight that the use of pre-ticked boxes on websites to acquire consent for processing personal data is impermissible.

The key issues covered by these judgments shouldn’t surprise the privacy-conscious public. However, it will prompt organizations to reassess their practices and approach to data collection, and make them aware of how far from privacy compliance they are. That should guide them in improving consent mechanisms and further data processing.

Let’s see how the story unfolds and what steps you should include in your strategy to ensure legal compliance regarding consent.

The backstories of the recent CJEU rulings

It started with the Facebook “Like” button. A fashion online retailer placed it on their website, and it passed data such as users’ IP addresses to Facebook. The problem was that users didn’t give their consent as they were utterly unaware of the procedure.

A lawsuit was filed against the company, and on 29 July 2019 the CJEU passed judgment in Case C-40/17. It held that the website owner that had embedded a social media plugin is a joint controller with Facebook.

The CJEU explained that, when it comes to data collection and transmission, the website operator is a joint controller with the plugin provider, in this case Facebook. But the website owner will not be a joint controller or hold responsibility for the processing of that data.

The Court’s decision was based on the Data Protection Directive 95/46/EC and is consistent with the GDPR, which applies the same definitions and requirements.

Another case involves Planet49, an online gaming company. It had forced users to agree to third-party advertising if they wanted to take part in a promotional lottery. Site visitors were given two tick boxes:

  • The first – unticked – regarded third-party advertising, but it was necessary to agree to this to enter the game.
  • The second box – this time pre-ticked – authorized Planet49 to set tracking cookies, though users could opt out any time.

And the CJEU’s judgment makes it plain that you can’t validly obtain consent via pre-checked boxes. You need active (affirmative) actions from visitors.

What can you set up without consent? Only technically necessary cookies, the kind that enable websites to work properly or deliver services to visitors. But you still must ask people’s permission for cookies you apply for:

  • Marketing
  • Analytics
  • Personalization
  • Tracking
  • Retargeting etc.

On the other hand, the obligations governing when websites must ask for cookie consent vary for individual European Union Member States.

Key points from the CJEU decisions

Both rulings specify requirements and recommendations concerning consent and the use of cookies under the European legislation. The verdicts should be a wake-up call for organizations that remain behind with GDPR-compliance or don’t take it seriously enough.

But keep in mind that this is not only about cookies. It concerns processing users’ data on the website, which can mean using a custom script or local storage instead of cookies.

You need user permission for sharing data with third parties before collecting it

The decision in the case of Fashion ID vs. Facebook emphasizes that you must ask visitors if you can collect and process their data. No matter if it’s for your own purposes or whether you want to exchange it with business partners.

In the end, you will both will be responsible for all that information.

As set out in Article 2(h) and Article 7(a) of Directive 95/46,

[… ]consent must be given prior to the collection and disclosure by transmission of the data subject’s data. In such circumstances, it is for the operator of the website, rather than for the provider of the social plugin, to obtain that consent, since it is the fact that the visitor consults that website that triggers the processing of the personal data.

As a website provider, you must receive permission for using cookies and placing them on a user’s device. It means you need a person’s active behavior and indication of their desires. You can’t assume their agreement.

You can find this obligation in both the GDPR, which explains that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent,” and Article 2, Directive 95/46, which clearly says:

“the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’
[…] consent is effective only if it is based on a free decision by the data subject. […]


You can’t use pre-ticked boxes to get user permission to data collecting and processing. But also you can’t consider “active behavior” the fact that visitors continue to browse your site.

The ruling should put an end to banners with just an “OK” button that merely says the website utilizes cookies. Such notices force people to agree and breach other GDPR provisions, namely the right to object.

The CJEU confirms what you can read in the ePrivacy Directive, that the consent rule regarding cookies applies to any piece information, whether it’s personal or not.

“the Court notes, in any event, that Article 5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data.”

In this regard, the Court agrees with the Advocate General’s Opinion that the ePrivacy Directive should protect users’ “private sphere” which includes “any information stored in the terminal equipment of users of electronic communications networks.”

This point is an extension of the GDPR, which refers only to personal information.

17 new privacy laws around the world and how they’ll affect your analytics

Read our recap to learn more about and prepare for 17 new and upcoming data privacy laws from around the world.

Based on the Directive, the Court says that the consent “must not only be active, but also separate. The activity a user pursues on the internet (reading a webpage, participating in a lottery, watching a video, etc.) and the giving of consent cannot form part of the same act.”

As to Planet49, the Court notes that a user’s agreement to participate in the lottery shouldn’t be regarded as permission to storing cookies on their device.

This means that you, as a website provider, must specify the different purposes of data processing. This could be sending promotional materials or setting up cookies. Then, ask for a separate permission in each case. The consent shouldn’t be bundled with other terms and conditions.

If you want more details on the above requirements, check out our post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users

The final points of the ruling refer to cookie lifespan and telling visitors what third parties can access user data.

To be precise, the Court found that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.”

And the Advocate General had already expressed this in March 2019 in his opinion, saying that “the duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should ‘always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done.’ ”

These obligations help ensure transparency as visitors should know how long site operators keep user data. And this “information is vital to enable individuals to make informed decisions prior to the processing.”

To stress the importance of valid consents, the Court orders that “a user should be explicitly informed whether third parties have access to the cookies set or not. And if third parties have access, their identity must be disclosed.”

That’s why website providers should place a separate checkbox (un-ticked) on their consent banners with a list of business partners they want to share data with.

Your next steps

As you can see, establishing a compliant strategy is no easy feat. The good news is that we’ve got some recommendations for this task. Here’s what you should do in a nutshell:

Consent plays a key role in obtaining valid agreement to collecting and processing peoples’ personal details. That’s why you should design it so that it:

  • informs of each purpose of data processing, separately
  • ensures active opt-in, no pre-ticked boxes
  • provides an easy way to opt out of collecting and processing data
  • uses plain and concise language
  • allows users to change their mind any time
  • notifies on cookie duration and access by third parties
  • does not allow to place any cookies (with the exception of cases where you have a legitimate interest to place the cookie (caution!)) before user agree to them
  • remembers users’ choices and the consent language

To see how you can implement this kind of consent box, check out an example from our public repository here.

You should have a history of different permissions users provided, for instance, whether they agreed first to marketing, A/B testing, and then also to retargeting. You need to document all that with details like when they consented and what was included in that decision, for example retargeting on Facebook.

The GDPR and the guidelines of the European Data Protection Board on consent have set stringent standards for its collection. We’d like to highlight the recommendations of the Commission Nationale de l’Informatique et des Libertés (CNIL), which is a French DPA, on getting a valid consent. You can’t validly obtain one via scrolling down, browsing or swiping through a website or application.

And as we’ve already mentioned, before you start collecting any piece of data, you need to ask your site visitors whether they agree to that or not. It means you don’t load any script, tracker or pixel before gaining users approval. The only exception to that rule concerns cookies that enable your website to load.

Step 4. Review your compliance mechanisms

The final step should be to check whether you have all the compliance mechanisms in place and assess how they measure up against the mentioned regulations and the CJEU rulings. In this way you’ll make sure that you collect and process personal data lawfully and respect people’s rights.

Such audits help you avoid the mistakes many organizations continue to make. And here are the most common examples of how website owners fail to fulfill the legal requirements in terms of mechanism quality, clarity and accessibility of information:

  • Offering no option other than to agree to collecting and processing data. That violates the principle of freely-given consent.
  • Providing dark UX in the form of pre-checked boxes, highlighting the “agree” button. As expressed in the ruling, you need users’ active behavior and indication of their intention. You can’t use pre-ticked boxes to obtain a valid consent.
  • Preloading tracking cookies before users agree to share their data. According to privacy regulations you need to ask people if they permit you to collect their data, then you can drop such cookies.

Conclusion

The constantly changing privacy landscape is becoming harder and harder to navigate. Both of the discussed verdicts show that brands fail to respect even the strictest regulations, and it’s high time to change this tide.

The CJEU rulings bring no surprises, but they serve as a reminder of the key principles set out in GDPR and ePrivacy. Website owners should adjust their tactics. They should offer visitors more transparency and free choice. The final step should be saying farewell to confusing data processing consent banners and assumed consent.

All that makes developing an analytics strategy even trickier and more burdensome. That’s why you should find a reliable partner that offers privacy compliance and helps you establish consent mechanisms so you can collect granular data without putting your organization at legal risk. If you want to know how different vendors approach this task, check out our Comparison of 5 Leading Consent Management Platforms.

And if you prefer to talk about issues concerning consent management or personal data processing on your website, just reach out to our team. We’ll be more than happy to schedule a call with you to answer your questions.