“No consent, no cookie”, says the European Court of Justice

The European Court of Justice confirmed in a judgment of 1 October 2019 that the use of cookies always requires the prior free and informed consent of the data subject and that this consent cannot be demonstrated by a prechecked check box.

No consent no cookie

Ask consent for the use of cookies or not?

The Belgian “cookie law” is now in its 7th year and since its inception it has sowed little more than frustration and confusion.

However, the basic rule is not that difficult: prior to placing a cookie on someone’s device you need the consent of the person concerned. According to the European Directive that forms the basis of the cookie law (Directive 2002/58), this permission must be “free, specific and informed”. The only case in which you do not need prior permission is if you use cookies that are strictly necessary for your website to function properly. This does not only apply to cookies by the way, but the same rules apply to all similar technologies such as fingerprinting.

In other words, a pop-up banner when you first visit a website asking for permission to place cookies is really necessary. This also means that the visitor must be free not to give his permission and to visit your website.

However, in recent years we have seen all kinds of creative solutions that try to avoid having to ask for explicit permission, ranging from simply not requesting permission, via pre-checked opt-ins to a system of opt-outs. In the light of the above, it should be clear that this is usually very problematic.

Cookie legislation and GDPR

To complicate matters, cookie legislation does not stand on an island, isolated from other laws. Anyone who wants to process personal data through cookies must simultaneously and in addition to the cookie law also take GDPR into account and in most cases, separately and in addition to the cookie opt-in, must obtain a second opt-in for the effective use of the personal data concerned.

This subtle distinction is most certainly not always well understood by everyone in the online marketing and e-commerce world. Very few companies seem to fully understand how GDPR and cookie legislation should complement each other and how and when personal information can be collected through the use of cookies and similar technology.

What exactly does the European Court have to do with this?

However, the European Court recently had to answer some very pertinent questions:

  • Can a cookie opt-in be checked in advance?
  • Is it relevant here whether or not personal data is processed under GDPR via the relevant cookie?

Why did the European Court have to answer these questions?

The German company Planet49 organizes online promotional competitions and draws. Anyone who wants to participate must enter their name and address on a Planet49 promotional site. The form that is used for this purpose contains two check boxes and a “I participate” button.

By checking the first check box, the participant gives permission to pass on his or her data to commercial partners of Planet49. A link at the checkbox shows that it concerns no fewer than 57 companies, which you as a participant can uncheck one by one if you wish. Participation in the lottery is only possible if the participant actually ticks this first checkbox.

The second checkbox serves to obtain permission to place cookies on the first visit to the Planet49 website. The purpose of these cookies is to monitor the surfing behavior of the participants and to send individualized advertisements from the 57 partners on the basis thereof. This checkbox is checked in advance.

And what is the verdict?

Well, in Case C ‑ 673/17, the Court of Justice ruled that a pre-checked check box – insofar as doubt could exist – does not constitute valid consent under cookie law.

What is interesting is that the Court makes extensive comparisons between GDPR on the one hand and cookie rules on the other. Based on that comparison, the Court decides that consent or consent actually means exactly the same under both regulations: the visitor to a website must be free to say yes or no, must perform an active act for that purpose (tick box), must be sufficiently informed about what will happen to his data (and which cookies will be used for this and how long it will be stored) and he or she should not be disadvantaged for the fact that he or she does not opt-in.

Moreover, the Court confirms that the processing of data by means of cookies always requires the active consent of the data subject, regardless of whether or not personal data is involved.

What does this mean in practice?

The consequences are clear: the use of cookies always requires active prior consent, unless it is a question of technical cookies.

This also means that everyone who so far implicitly accepted the visitor’s agreement “due to the further visit to our website” is not in line, that all opt-out based cookie banners are not in line, that all cookie banners that have one general opt-in provided without distinction per processing are also not in line, …

Until now, the Belgian Data Protection Authority was not very active in imposing fines, neither under GDPR, nor for the use of cookies. As far as GDPR is concerned, we have seen a change in this over the past weeks and months, and with this judgment in mind, it will in all likelihood also be the case with regard to cookie rules in the near future …

The reality today is that the cookie model is under great pressure. Consumers are no longer willing to accept unlimited monitoring of their online behavior and it is becoming increasingly difficult to obtain opt-ins. In the meantime, the EU is working on a full revision of cookie legislation in the form of the future “ePrivacy Regulation”.

What the impact of that ePrivacy regulation and of for example Apple’s recent ITP 2.1 is on retargeting and affiliate marketing or on current practices with new versus returning visitors, time to convert, marketing automation, lifecycle-based prospect or lead generation, personalized content, attribution models , … you can read in our contribution in the upcoming book “Obsessed” by Marc Bresseel and Renout Van Hove by Duval Union and Growth Agent.

Review your cookie policy

What companies have to do while waiting is to thoroughly review their cookie policy. Our observation in practice is that many companies do not even have a clear idea of ​​which cookies they use, what data is collected with them and with whom they are shared.

However, that is a necessity, both under GDPR and under the cookie law. The answer to the following questions is essential for every company and must be communicated to your website visitors:

  • Which cookies do we use?
  • Who is the publisher?
  • How long are those cookies stored?
  • With whom is the collected data shared?
  • Is it about personal data?
  • Is the processing in the case of personal data “GDPR compliant”?
  • How and when do we ask for consent?
  • Is that consent free and informed?

In order to help companies answer these questions, Sirius Legal has worked with conversion agency Grava to develop a cookie scan tool, in which your current cookie policy is screened for a fixed amount on both technical and legal levels.

Questions about cookies or our standard scan?

Feel free to contact Bart Van den Brande at bart@siriuslegal.be or on 0486 901 931