The Belgian “cookie law” is now in its 7th year and since its inception it has sowed little more than frustration and confusion.
In other words, a pop-up banner when you first visit a website asking for permission to place cookies is really necessary. This also means that the visitor must be free not to give his permission and to visit your website.
However, in recent years we have seen all kinds of creative solutions that try to avoid having to ask for explicit permission, ranging from simply not requesting permission, via pre-checked opt-ins to a system of opt-outs. In the light of the above, it should be clear that this is usually very problematic.
Cookie legislation and GDPR
To complicate matters, cookie legislation does not stand on an island, isolated from other laws. Anyone who wants to process personal data through cookies must simultaneously and in addition to the cookie law also take GDPR into account and in most cases, separately and in addition to the cookie opt-in, must obtain a second opt-in for the effective use of the personal data concerned.
What exactly does the European Court have to do with this?
However, the European Court recently had to answer some very pertinent questions:
- Can a cookie opt-in be checked in advance?
- Is it relevant here whether or not personal data is processed under GDPR via the relevant cookie?
Why did the European Court have to answer these questions?
The German company Planet49 organizes online promotional competitions and draws. Anyone who wants to participate must enter their name and address on a Planet49 promotional site. The form that is used for this purpose contains two check boxes and a “I participate” button.
By checking the first check box, the participant gives permission to pass on his or her data to commercial partners of Planet49. A link at the checkbox shows that it concerns no fewer than 57 companies, which you as a participant can uncheck one by one if you wish. Participation in the lottery is only possible if the participant actually ticks this first checkbox.
The second checkbox serves to obtain permission to place cookies on the first visit to the Planet49 website. The purpose of these cookies is to monitor the surfing behavior of the participants and to send individualized advertisements from the 57 partners on the basis thereof. This checkbox is checked in advance.
And what is the verdict?
Well, in Case C ‑ 673/17, the Court of Justice ruled that a pre-checked check box – insofar as doubt could exist – does not constitute valid consent under cookie law.
What is interesting is that the Court makes extensive comparisons between GDPR on the one hand and cookie rules on the other. Based on that comparison, the Court decides that consent or consent actually means exactly the same under both regulations: the visitor to a website must be free to say yes or no, must perform an active act for that purpose (tick box), must be sufficiently informed about what will happen to his data (and which cookies will be used for this and how long it will be stored) and he or she should not be disadvantaged for the fact that he or she does not opt-in.
Moreover, the Court confirms that the processing of data by means of cookies always requires the active consent of the data subject, regardless of whether or not personal data is involved.
What does this mean in practice?
This also means that everyone who so far implicitly accepted the visitor’s agreement “due to the further visit to our website” is not in line, that all opt-out based cookie banners are not in line, that all cookie banners that have one general opt-in provided without distinction per processing are also not in line, …
The reality today is that the cookie model is under great pressure. Consumers are no longer willing to accept unlimited monitoring of their online behavior and it is becoming increasingly difficult to obtain opt-ins. In the meantime, the EU is working on a full revision of cookie legislation in the form of the future “ePrivacy Regulation”.
What the impact of that ePrivacy regulation and of for example Apple’s recent ITP 2.1 is on retargeting and affiliate marketing or on current practices with new versus returning visitors, time to convert, marketing automation, lifecycle-based prospect or lead generation, personalized content, attribution models , … you can read in our contribution in the upcoming book “Obsessed” by Marc Bresseel and Renout Van Hove by Duval Union and Growth Agent.
However, that is a necessity, both under GDPR and under the cookie law. The answer to the following questions is essential for every company and must be communicated to your website visitors:
- Which cookies do we use?
- Who is the publisher?
- How long are those cookies stored?
- With whom is the collected data shared?
- Is it about personal data?
- Is the processing in the case of personal data “GDPR compliant”?
- How and when do we ask for consent?
- Is that consent free and informed?
Questions about cookies or our standard scan?
Feel free to contact Bart Van den Brande at email@example.com or on 0486 901 931