Context

Many businesses use cookies on websites to "recognise" their users and to target tailored content and behavioural advertising.  You'll have probably noticed that many cookie banners have been beefed up over the last year in response to GDPR.  

The law

Data protection law requires prior consent of the subscriber or user to store information on, or access information from, their terminal equipment.  This is based on the assumption that such terminal equipment is the "private sphere" of that subscriber or user and deserves special protection.  

The legal rules are actually contained in the e-Privacy Directive (2002/58/EC) as amended by Directive 2009/136/EC.  It was the 2009 Directive that introduced the prior consent requirement when, previously, this had been an "opt-out" rule only.  Therefore, the consent requirement is not new.

GDPR increased the compliance burden by upgrading the definition of "consent".  This is what website publishers and the adtech community have been grappling with ever since.  

The facts

In September 2013, Planet49 organised a promotional lottery on a website and included a checkbox (default ticked) as a cookie consent.  Cookies were to be used as part of an advertising network for behavioural advertising purposes.  The cookie notices named the particular cookies to be dropped and the way in which they would be linked to registration data for direct marketing.  

There was also a checkbox (not default ticked) to collect consents for direct marketing by sponsors and co-operation partners.  However, the CJEU did not consider it necessary to deal with this in their ruling this week. Instead, it raised some other interesting issues (see below).  

The judgment dealt with the following points:

Can a pre-ticked checkbox constitute a valid consent mechanic?

No.  This is neither new, nor a surprise.  The old Data Protection Directive (95/46/EC) assumed users would have to take an active step to give consent.  GDPR puts this beyond doubt by requiring a "clear affirmative action" to signify consent.  It also says that "silence, pre-tick boxes or inactivity" cannot be valid consent.  

Therefore, always ensure that cookie consent mechanics (in particular, in the cookie pop-up/banner) operate on the basis that cookies are only loaded or dropped if and when the user ticks the box or clicks on "Accept" or its equivalent. 

Does it make a difference whether the information stored or accessed via cookies constitutes personal data?

No. Again, this is also neither new, nor a surprise.  The e-Privacy rules have always stated that consent is required when information (not necessarily personal data) is stored on or accessed from the terminal equipment of the user.  This is why we refer to the rule as the "device-based data rule", rather than the "cookie rule".  

Do you need to specify cookie duration and third party access?

This is a more interesting question.  The court decided that the website publisher (or the party dropping the cookies) should include information on the duration of the operation of the cookies and whether or not third parties may have access to those cookies.  This was on the basis of fair processing (under the old law) and the specific requirements of GDPR in terms of privacy notices.  

This is a significant change from the current market position and will require updates to cookie notices to specify duration and third party access.

It is also worth noting that, at present, both privacy regulators and privacy activists are very interested in cookies and that it is easy for anyone to check a website for cookie compliance. 

Another interesting issue …

Unfortunately, the court did not consider it necessary to opine on the fact that the website had a separate marketing consent (with an unticked checkbox).  The issue here was whether the website could require users to sign up for marketing as a condition of entering the promotional lottery.  GDPR says that you cannot make provision of a service conditional upon processing not required to perform such service (and, again, this was neither new, nor a surprise).  This is the "no bundling" rule.  The Advocate General had said that the underlying purpose of participation in the lottery is the "selling" of personal data (and agreeing to be contacted by "sponsors").  Therefore, the door is still open to the possibility that if the core purpose of the lottery is processing personal data for direct marketing, then this is outside the "no bundling" rule.  

Actions required?

  • Update cookie notices to specify duration/third party access for each cookie. If you do not have this information available, you may need to carry out a cookie audit.
  • Ensure that the cookie banner (or consent tool) operates on a strictly "opt-in" basis (no default ticks, cookie walls or reliance on inactivity) for the types of cookies for which consent is required.
  • Do not argue that cookies are not personal data to get you out of the prior consent rule, because the rule applies irrespective of whether the cookie data is personal data. In any event, cookies will often contain personal data (as was the case in Planet49).

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.