A recent decision of the CJEU has clarified a number of questions relating to the use of cookies and similar technologies. This decision is largely consistent with much of the recent regulatory guidance which has been published on this subject. It does however provide some useful clarifications for businesses about how to deal with cookies on their websites and confirms that the operators of websites should be reviewing their cookie policies and how consent is obtained in relation to cookies and similar technologies.

The Planet49 Case

The Planet49 case concerned a German company which organised a promotional lottery on its website.

Internet users wishing to take part in Planet49's lottery were required to enter their postcodes, which redirected them to a web page where they were required to enter their names and addresses. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first body of text with a checkbox was a preselected tick and read invited the visitor to tick to receive third party advertising.

The second set of text with a pre-ticked checkbox allowed Planet49 to set cookies which tracked the users' behaviour online. Associated with this second set of text was a hyperlink setting out the cookies that would be used and some instructions about how they could be deleted.

Questions before the court included; whether a pre-ticked box constituted valid consent, whether there was a requirement for personal data for cookie law to apply; what valid consent looks like and what the information that should be given to a consumer (specifically whether this includes duration of a cookie).

The findings of the Court can be summarised as follows:

  1. The GDPR standard for consent applies where consent to set cookies is required. This means that consent cannot be implied and must be freely given, specific, informed and unambiguous.
  2. A pre-ticked box does not constitute valid consent for cookies.
  3. It is irrelevant whether the cookie is collecting personal data or not and the provisions of the e-Privacy Directive apply to all cookies regardless of whether personal data is involved.
  4. The information given to a user should include duration of the operation of cookies and if third parties may have access to those cookies.

The ICO Guidelines

None of what the CJEU said in the Planet49 case will be much of a surprise to anyone who has read the ICO's most recent guidelines on cookies and related technologies which can be found here.

In a nutshell the guidelines make it clear that businesses cannot rely on implied consent when placing cookies, as has previously (arguably) been the case. The Privacy and Electronic Communications Regulations (PECR) which govern the use of cookies in the UK require that users or subscribers consent to cookies being placed or used on their device and whilst consent is not defined under PECR, it is clear that the definition of consent introduced under the GDPR to cookies applies.

In practice this means that you must now ensure that when placing cookies, express consent is sought, in advance (i.e. before cookies are set) as well as providing users with clear and detailed information about the cookies so that informed consent can be obtained. Gone therefore are pre-ticked boxes and pop up banners which say things like, "By continuing to browse you consent to us setting cookies"

The requirement to obtain consent only applies to non-essential cookies and is therefore not applicable to essential cookies which for example relate to user authentication or input, security, streaming content or network preferences but would apply to non-essential cookies such as social media plug-ins or cookies used for the purposes of online advertising or cross-device tracking. Where the cookie has more than one purpose, then consent will also be required where at least one of those purposes is non-essential.

Practical considerations

  1. Update your cookie policy to include detailed information on the essential and non-essential cookies that you are using. This must include how long each cookie is set for.
  2. Make sure that your consent mechanism links to your cookie policy and has a clear description of what this is for.
  3. Ensure that you obtain consent by the user carrying out a positive act such as ticking a box. No pre-ticked boxes or implied consents!
  4. If using banners / pop-ups or message bars it will be important to consider the implications for a user accessing the website from different devices – what works on a laptop may not be visible or accessible from a mobile device.
  5. Use of the words "Agree" or "Allow" in font or type that is more prominent than "Reject" or "Block" represents a non-compliant approach, as you will be influencing users towards the "accept" option.
  6. Give users a chance to control the use of cookies by "opting out". This can be done by a control panel or through changing browser preferences.
  7. It is important at all times for users to fully understand: what you are using cookies for, how you have gone about seeking their consent, how you (and any third party) intends to use their data and that you have provided them with appropriate control over their preferences.

Non-compliance

The ICO has made it clear that non-compliance will lead to formal action being taken. However, it is also unlikely that priority for formal action will be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything that you can to clearly inform users about the cookies and provide clear direction as to their choices in relation to these cookies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.