This year, the Court of Justice of the European Union (CJEU) has issued two crucial rulings on consent requirements regarding cookie compliance, under General Data Protection Regulation (GDPR), ePrivacy Directive 2002/58/EC (ePrivacy Directive also known as Cookie Directive) and Directive 95/46/EC (Data Protection Directive). They highlight that the use of pre-ticked boxes on websites to acquire consent for processing personal data is impermissible.
The key issues covered by these judgments shouldn’t surprise the privacy-conscious public. However, it will prompt organizations to reassess their practices and approach to data collection, and make them aware of how far from privacy compliance they are. That should guide them in improving consent mechanisms and further data processing.
Let’s see how the story unfolds and what steps you should include in your strategy to ensure legal compliance regarding consent.
It started with the Facebook “Like” button. A fashion online retailer placed it on their website, and it passed data such as users’ IP addresses to Facebook. The problem was that users didn’t give their consent as they were utterly unaware of the procedure.
A lawsuit was filed against the company, and on 29 July 2019 the CJEU passed judgment in Case C-40/17. It held that the website owner that had embedded a social media plugin is a joint controller with Facebook.
The CJEU explained that, when it comes to data collection and transmission, the website operator is a joint controller with the plugin provider, in this case Facebook. But the website owner will not be a joint controller or hold responsibility for the processing of that data.
The Court’s decision was based on the Data Protection Directive 95/46/EC and is consistent with the GDPR, which applies the same definitions and requirements.
Another case involves Planet49, an online gaming company. It had forced users to agree to third-party advertising if they wanted to take part in a promotional lottery. Site visitors were given two tick boxes:
- The first – unticked – regarded third-party advertising, but it was necessary to agree to this to enter the game.
- The second box – this time pre-ticked – authorized Planet49 to set tracking cookies, though users could opt out any time.
And the CJEU’s judgment makes it plain that you can’t validly obtain consent via pre-checked boxes. You need active (affirmative) actions from visitors.
What can you set up without consent? Only technically necessary cookies, the kind that enable websites to work properly or deliver services to visitors. But you still must ask people’s permission for cookies you apply for:
- Retargeting etc.
On the other hand, the obligations governing when websites must ask for cookie consent vary for individual European Union Member States.
In November 2023, the European Data Protection Board (EDPB) formulated guidelines outlining the new technical scope of Art. 5 (3) of the ePrivacy Directive. According to this article, companies must obtain prior consent before storing or accessing information on a user’s electronic device unless it is necessary to provide the requested service. So far, this principle has mainly applied to Internet cookies. The recent guidelines significantly extend the list of technologies covered by Art. 5 (3) to include new tracking methods and technical operations.
The EDPB focuses on five critical elements of the cookie rule and applies an extensive interpretation to all of them:
- Information includes both non-personal and personal data, regardless of how it is stored or by whom.
- Terminal equipment refers to equipment connected to the public telecommunications network, e.g., smartphones, laptops, connected cars, connected TVs, or smart glasses.
- An electronic communications network is any system that allows the transmission of electronic signals. The rule concerns public communication services provided over such networks. However, communication over a network available to a limited number of people (e.g., subscribers) is also considered public.
- Access – the EDPB has a very broad delimitation of access according to which an access exists if an entity actively takes steps to gain access to information stored on a terminal equipment.
- Storage applies to information of any type, in any quantity, and takes place over any time (even as short as storage in RAM or CPU cache).
The EDPB’s proposals have sparked controversy as they may negatively affect the market. It was reflected in the feedback from various industry bodies as part of the public consultation on the new guidelines.
To quote The Federation of European Data and Marketing:
The EDPB’s broad interpretation of “gaining access” would (…) mean that every communication over the internet is somehow “gaining access” to information within scope of Art 5(3) ePD (…). In doing so, the draft Guidelines’ interpretation also captures technologies and basic technical operations which are not necessarily related to marketing or advertising purposes (…). It is therefore unclear how a consent requirement for non-intrusive technical operations which do not necessarily involve the processing of personal data would bring a better protection of privacy to the user. This also seems detrimental to the user’s online experience as they will be asked to engage with additional consent requests, likely exacerbating the so-called “consent fatigue” .
The Central Association of the German Advertising Industry ZAW noted the need for a risk-based approach in the new guidelines. The IAB brought up, among other things, the negligence of the technical considerations.
Nevertheless, the guidelines reflect the EU data protection authorities’ interpretation of the law and are not directly binding. The outcome of the EDPB’s efforts to enforce the guidelines is yet to be determined.
But keep in mind that this is not only about cookies. It concerns processing users’ data on the website, which can mean using a custom script or local storage instead of cookies.
The decision in the case of Fashion ID vs. Facebook emphasizes that you must ask visitors if you can collect and process their data. No matter if it’s for your own purposes or whether you want to exchange it with business partners.
In the end, you will both will be responsible for all that information.
As set out in Article 2(h) and Article 7(a) of Directive 95/46,
[… ]consent must be given prior to the collection and disclosure by transmission of the data subject’s data. In such circumstances, it is for the operator of the website, rather than for the provider of the social plugin, to obtain that consent, since it is the fact that the visitor consults that website that triggers the processing of the personal data.
As a website provider, you must receive permission for using cookies and placing them on a user’s device. It means you need a person’s active behavior and indication of their desires. You can’t assume their agreement.
You can find this obligation in both the GDPR, which explains that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent,” and Article 2, Directive 95/46, which clearly says:
“the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’
[…] consent is effective only if it is based on a free decision by the data subject. […]
You can’t use pre-ticked boxes to get user permission to data collecting and processing. But also you can’t consider “active behavior” the fact that visitors continue to browse your site.
The ruling should put an end to banners with just an “OK” button that merely says the website utilizes cookies. Such notices force people to agree and breach other GDPR provisions, namely the right to object.
The CJEU confirms what you can read in the ePrivacy Directive, that the consent rule regarding cookies applies to any piece information, whether it’s personal or not.
“the Court notes, in any event, that Article 5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data.”
In this regard, the Court agrees with the Advocate General’s Opinion that the ePrivacy Directive should protect users’ “private sphere” which includes “any information stored in the terminal equipment of users of electronic communications networks.”
This point is an extension of the GDPR, which refers only to personal information.
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
Based on the Directive, the Court says that the consent “must not only be active, but also separate. The activity a user pursues on the internet (reading a webpage, participating in a lottery, watching a video, etc.) and the giving of consent cannot form part of the same act.”
As to Planet49, the Court notes that a user’s agreement to participate in the lottery shouldn’t be regarded as permission to storing cookies on their device.
This means that you, as a website provider, must specify the different purposes of data processing. This could be sending promotional materials or setting up cookies. Then, ask for a separate permission in each case. The consent shouldn’t be bundled with other terms and conditions.
If you want more details on the above requirements, check out our post:
How Consent Manager Can Help You Obtain GDPR-Compliant Consents From Your Users
The final points of the ruling refer to cookie lifespan and telling visitors what third parties can access user data.
To be precise, the Court found that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.”
And the Advocate General had already expressed this in March 2019 in his opinion, saying that “the duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should ‘always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done.’ ”
These obligations help ensure transparency as visitors should know how long site operators keep user data. And this “information is vital to enable individuals to make informed decisions prior to the processing.”
To stress the importance of valid consents, the Court orders that “a user should be explicitly informed whether third parties have access to the cookies set or not. And if third parties have access, their identity must be disclosed.”
That’s why website providers should place a separate checkbox (un-ticked) on their consent banners with a list of business partners they want to share data with.
As you can see, establishing a compliant strategy is no easy feat. The good news is that we’ve got some recommendations for this task. Here’s what you should do in a nutshell:
Consent plays a key role in obtaining valid agreement to collecting and processing peoples’ personal details. That’s why you should design it so that it:
- informs of each purpose of data processing, separately
- ensures active opt-in, no pre-ticked boxes
- provides an easy way to opt out of collecting and processing data
- uses plain and concise language
- allows users to change their mind any time
- notifies on cookie duration and access by third parties
- does not allow to place any cookies (with the exception of cases where you have a legitimate interest to place the cookie (caution!)) before user agree to them
- remembers users’ choices and the consent language
To see how you can implement this kind of consent box, check out an example from our public repository here.
You should have a history of different permissions users provided, for instance, whether they agreed first to marketing, A/B testing, and then also to retargeting. You need to document all that with details like when they consented and what was included in that decision, for example retargeting on Facebook.
The GDPR and the guidelines of the European Data Protection Board on consent have set stringent standards for its collection. We’d like to highlight the recommendations of the Commission Nationale de l’Informatique et des Libertés (CNIL), which is a French DPA, on getting a valid consent. You can’t validly obtain one via scrolling down, browsing or swiping through a website or application.
And as we’ve already mentioned, before you start collecting any piece of data, you need to ask your site visitors whether they agree to that or not. It means you don’t load any script, tracker or pixel before gaining users approval. The only exception to that rule concerns cookies that enable your website to load.
The final step should be to check whether you have all the compliance mechanisms in place and assess how they measure up against the mentioned regulations and the CJEU rulings. In this way you’ll make sure that you collect and process personal data lawfully and respect people’s rights.
Such audits help you avoid the mistakes many organizations continue to make. And here are the most common examples of how website owners fail to fulfill the legal requirements in terms of mechanism quality, clarity and accessibility of information:
- Offering no option other than to agree to collecting and processing data. That violates the principle of freely-given consent.
- Providing dark UX in the form of pre-checked boxes, highlighting the “agree” button. As expressed in the ruling, you need users’ active behavior and indication of their intention. You can’t use pre-ticked boxes to obtain a valid consent.
- Preloading tracking cookies before users agree to share their data. According to privacy regulations you need to ask people if they permit you to collect their data, then you can drop such cookies.
To get a bigger picture of how websites have adapted to privacy regulations, check out our report:
The constantly changing privacy landscape is becoming harder and harder to navigate. Both of the discussed verdicts show that brands fail to respect even the strictest regulations, and it’s high time to change this tide.
The CJEU rulings bring no surprises, but they serve as a reminder of the key principles set out in GDPR and ePrivacy. Website owners should adjust their tactics. They should offer visitors more transparency and free choice. The final step should be saying farewell to confusing data processing consent banners and assumed consent.
All that makes developing an analytics strategy even trickier and more burdensome. That’s why you should find a reliable partner that offers privacy compliance and helps you establish consent mechanisms so you can collect granular data without putting your organization at legal risk. If you want to know how different vendors approach this task, check out our Comparison of 5 Leading Consent Management Platforms.
And if you prefer to talk about issues concerning consent management or personal data processing on your website, just reach out to our team. We’ll be more than happy to schedule a call with you to answer your questions.