Europe’s top court says active consent is needed for tracking cookies

Europe’s top court has ruled that pre-checked consent boxes for dropping cookies are not legally valid.

Consent must be obtained prior to storing or accessing non-essential cookies, such as tracking cookies for targeted advertising. Consent cannot be implied or assumed.

It’s a decision that — at stroke — plunges websites into legal hot water in Europe if their cookie notices don’t ask for consent first. As many don’t, preferring not to risk their ability to track users for ad targeting.

Now they could be risking a big fine under EU privacy laws if they don’t obtain valid consent for tracking.

Full text of the CJEU cookie ruling improves understanding of #GDPR consent. Preselected fields make it impossible to detect if user consented. #ePrivacy https://t.co/rzuVEzGtRi

— Lukasz Olejnik (@lukOlejnik) October 1, 2019

Sites that have relied upon opting EU users into ad-tracking cookies in the hopes they’ll just click okay to make the cookie banner go away are in for a rude awakening.

Or, to put it another way, the ruling should put a stop to some, er, ‘creative’ interpretations of the rules around cookies that manage to completely miss the point of the law…

ehem

at here refreshing Curia press release page & noticed their own non-compliant #cookie notice – spot the irony on their cookie information page – looks like the Court are about to render their own site illegal wrt to pre-ticked boxes… a little embarrassing… #privacy #planet49 pic.twitter.com/ewdEqQqrvb

— That Privacy Guy (@alexanderhanff) October 1, 2019

The decision is also likely to influence the ongoing reform of ePrivacy rules — which govern online tracking.

While the outcome of that very heavily lobbied piece of legislation remains to be seen today’s ruling is clearly a win for privacy.

Planet49 case

The backstory to today’s ruling is that a German court asked the CJEU for a decision in a case relating to a lottery website, Planet49, which had required users to consent to the storage of cookies in order to play a promotional game.

In an earlier opinion an influential advisor to the court also took the view that affirmative action not simple inaction must be necessary to constitute consent.

Today the CJEU agreed, handing down a final judgement which makes it plain that consent can’t be assumed — it requires an active opt-in from users.

In a punchily brief press release the court writes:

In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent.

That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

The Court notes that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

So, to sum up, pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law. 

Furthermore cookie consent can’t be bundled with another purpose (in the Planet49 case the promotional lottery) — at least if that fuzzy signal is being used to stand for consent.

There’s also an interesting new requirement which looks set to shrink the ability of service operators to obfuscate how persistently they’re tracking Internet users.

For consent to cookies to be legally valid the court now says the user must be provided with some specific information on the tracking, namely: How long the cookie will operate, and who their data will be shared with. So, er, awkward…

The most interesting thing is how the Court justifies that info on cookie duration/those who can access should be provided. ePrivacy refers to data protection law on the information provided, but as ePrivacy is not always about personal data, the info reqs in DP don't always fit

— Michael Veale @mikarv@someone.elses.computer (@mikarv) October 1, 2019

What's more interesting: sites must inform about the duration of cookie validity. This is interesting insight, and was not generally followed. Should be identical to 'Expires' or 'Max-Age' setting when cookies are set. Does it also apply to SameSite configuration? #GDPR #ePrivacy pic.twitter.com/f55AtbqArb

— Lukasz Olejnik (@lukOlejnik) October 1, 2019

“Extending information requirement to include cookie configuration details is an interesting twist that will provide more information to users,” Dr. Lukasz Olejnik, an independent cybersecurity advisor and research associate at the Center for Technology and Global Affairs at Oxford University, told us.

“Sites will need to be wary to be sure that the user-facing text matches the actually used values of max-age or expires attributes. It is also interesting to wonder if sites will want to provide similar information about other cookie attributes.”

Safe to say, there will be some long faces in the ad industry today.

“The Court has made clear that consent should always be manifested in an active manner, and may not be presumed. Therefore, online operators should ensure that they do not collect consent by asking users to unclick a pre-formulated declaration of consent,” said Luca Tosoni, a research fellow in computers and law at the University of Oslo, also commenting on the court ruling.

ePrivacy reform

As we’ve reported before very many sites and services in Europe have, at best, been playing lip-service to EU cookie consent requirements — despite the advent of tighter rules coming into force last year under the General Data Protection Regulation (GDPR), which says that consent must be specific, informed and freely given to be a valid legal basis. And despite — more recently — further guidance from DPAs clarifying the rules around cookie consent.

So the CJEU ruling should lift a fair few heads out of the sand.

“Before the entry into force of the GDPR, the conditions for consent were interpreted differently across Europe. Today’s judgment is important as it brings some clarity on what should be considered valid consent under EU data protection law,” Tosoni also told us, saying he expects the ruling to result in changes to many cookie notifications.

“National courts and data protection authorities across the EU will need to follow the Court’s interpretation when assessing whether controllers have validly obtained consent. In turn, this should lead to more harmonization in enforcement across Europe, in particular with regard to cookie notices. Thus, I would expect many operators to change their non-compliant consents to conform with the ruling.”

EU law on cookie consent dates back much earlier than the GDPR — to the prior Data Protection Directive and the still in force ePrivacy Directive — Article 5(3) of which specifies that for cookies to be used users must give opt-in consent after being provided with clear and comprehensive information (with only a limited exception for ‘strictly necessary’ cookies).

Although European legislators have been trying for years to agree on an update to the ePrivacy Directive.

A draft proposal for an ePrivacy Regulation was introduced by the Commission at the start of 2017. But negotiations have been anything but smooth — with a blitz of lobbying from the adtech and telecoms industries pushing against a firm requirement for opt-in consent to tracking.

The CJEU’s clarity that consent is required to store and access cookies pushes in the opposite direction. And that firm legal line protecting individual privacy from background tracking technologies should be harder for legislators to ignore.

“Today’s ruling is likely to have a significant impact on the ongoing negotiations on the ePrivacy Regulation which is set to regulate cookie usage, an issue on which European legislators are struggling to find an agreement,” Tosoni said, adding: “In the past, the Court’s rulings have had an important impact on the development of the GDPR.”

In the meanwhile, the judgement should at least force some of the more cynical and/or stupid cookie banners to be quietly replaced with something that at least asks for consent.

Cookie walls

That said, the ruling does not resolve all the problems around cookie consent.

Specifically the court has not waded into the contentious forced consent/cookie wall issue. This is where a site requires consent to advertising cookies as the ‘price’ for accessing the sought for service, with the only other option being to leave.

Earlier this year the Dutch DPA deemed cookie walls to be illegal. But the agency’s interpretation is open to legal challenge. Only the CJEU can have the final word.

In the Planet49 case the court sidestepped the issue — saying the referring court did not ask it to rule on the question of “whether it is compatible with the requirement that consent be ‘freely given’, within the meaning of Article 2(h) of Directive 95/46 and of Article 4(11) and Article 7(4) of Regulation 2016/679, for a user’s consent to the processing of his personal data for advertising purposes to be a prerequisite to that user’s participation in a promotional lottery, as appears to be the case in the main proceedings”.

“In those circumstances, it is not appropriate for the Court to consider that question,” it wrote.

Likely it’s doing so because another case is already set to consider that question. Tosoni says he expects the Orange Romania case — which is pending before the court — to further clarify the requirements of valid consent in the context of it being ‘freely given’.

“Some uncertainty on the requirements of valid consent remains. Indeed, in today’s judgment, the Court has primarily clarified what constitutes unambiguous and specific consent, but the Court has, for example, not clarified what degree of autonomy a data subject should enjoy when choosing whether or not to give consent for the latter to be considered “freely given”,” he said.

“Today’s judgment does not provide an answer on the legality of cookie walls, which require consent to access the underlying service.  The Court found that it was unable to address this point, as the referring German court had not asked the ECJ to assess the legality of making participation in a lottery — the service at issue in the case — subject to giving advertising cookie consent.  Further clarity on this issue may come from the Orange Romania case, which is currently pending before the ECJ.”

IAB Europe response

Responding to the ruling the Interactive Advertising Bureau (IAB) Europe’s CEO Townsend Feehan told us: “It’s interesting that the court are taking the view that the ePrivacy Directive provision appear to require users to be told how long a cookie will be functioning. That’s something that’s qualitatively a little bit new.”

She also agreed the CJEU ruling will likely require some changes to some existing cookie consent notices, saying: “If now the court is taking the view that users have to have precise information about the persistence of a cookie that would definitely require changes to UIs.”

“The idea that you couldn’t have preticked boxes/don’t constitute active consent is not really a surprise to anyone, and the idea that the ePrivacy Directive requirement applies to non-personal data as well as personal data is also not surprising,” she also said, further claiming the IAB’s Transparency and Consent Framework (TCF) discourages the use of pre-ticked boxes.

The TCF was introduced last year by the ad industry standards body, ahead of GDPR, when the IAB made a big push to encourage publishers to use its framework to gather consents for processing visitors’ personal data in Europe.

However there are examples of this TCF including pre-ticked consents — such as in a widely used implementation developed by Quantcast. An adtech veteran whose business is, as it happens, currently under investigation by Ireland’s Data Protection Commission (which is looking into whether its processing and aggregating of personal data to profile Internet users for ad targeting is in compliance with the GDPR).

Asked whether the IAB will be advising its members to make changes to how they gather consents in light of the CJEU ruling, Feehan said: “The recommendation until now has just been to comply with Article 13; the disclosure requirements in the GDPR. Now that the court has taken a different view from the letter of the law that is something indeed we could make a recommendation. We have a working group that needs to look at whether the policies ought to be amended in light of the ruling — and so that process will play out in the next few weeks.”

She also said the IAB’s wider position on the ePrivacy Regulation remains unchanged for now — which is to say it doesn’t believe updated tracking rules are necessary.

“I don’t think this ruling will affect our general approach or position on the proposed ePrivacy Regulation,” she said. “Our view on ePrivacy Regulation is basically that it’s probably not necessary. That all one needs is the GDPR. If you look at the substantive scope of the ePrivacy Regulation in relation to the cookie provisions… they’re completely redundant with what was adopted in the GDPR.”

Asked to respond to wider criticism of the adtech industry’s business model being based on consent-less tracking of Internet users Feehan rejected the critique as “complete nonsense”, adding there’s nothing in the CJEU judgement to support such a view.

Today's decision of the EU Court of Justice in the case #Planet49 is a message to the #adtech industry: your business model based on unlawful profiling, forced tracking and unconsented targeted ads is not valid under EU law #ePrivacy https://t.co/BDgRpB0hK2

— Access Now (@accessnow) October 1, 2019

“The judgement doesn’t tell us anything new about the content of the law. The advertising industry needs to obey the law, the overwhelming majority of players in the digital advertising industry obey the law. And this ruling doesn’t tell us anything new as far as I’m concerned about the law… It does introduce this perhaps more precise requirement with respect to the obligation to disclose the duration of persistence of cookies. But I don’t understand on what basis anyone would read today’s ruling and decide that based on that reading one discovers that the business model is illegal. I don’t understand the logic of that.”

This report was updated with comment from the IAB Europe