Cookie consent is a box-ticking exercise after all!
16 October 2019
The clarity from the ECJ has come in the form of its ruling in the Planet 49 case. Planet 49 (a German company) organised promotional lotteries on its website. To enter, entrants had to provide certain personal details. The entry page also had two tick boxes which the entrant had to engage with. The first, which was not pre-ticked, had to be ticked to participate. Ticking the box gave consent to the entrant being contacted by various businesses about their offers. The second box, which was pre-ticked, gave consent for cookies to be placed on the entrant’s device. The second tick box did not need to be ticked to participate, but if the entrant did not wish to have cookies dropped, he or she had to untick the box.
The ECJ said that this approach was unlawful. Valid consent requires the user’s consent to be freely given, specific, informed and unambiguous. The ECJ said that if the box was pre-ticked, and the user did not engage with it in any way, then how could anyone determine if the user had given consent? They may not even have noticed the tick box. By contrast, by ticking the box, the user would have taken an active, measurable step to give consent.
This ruling isn’t exactly “hold the front page” news – it would have been far more surprising had the ECJ ruled otherwise. So why is it important, you may ask?
Since the introduction of the E-Privacy Directive 2002, consent has been required to drop non-essential cookies. These are cookies which are nice to have, such as analytics or advertising cookies, but are not essential to the operation of the website like a shopping cart cookie is (without a shopping cart cookie to remember what you’ve put in your basket, a website wouldn’t be able to sell you the things you want to buy.)
To the extent there was ever any doubt, the ECJ has now removed it. So the effect of this ECJ ruling is that website operators can no longer take the “wait and see” approach on their websites. We have waited and now we have seen, and it will be interesting to see how website operators respond and what steps they take to make their cookie consent compliant.
No more implied consent.
No more cookie consents and preference centres with pre-ticked boxes.
Many websites now use third-party tools to manage the visitor’s choices when visiting a website and it is likely that the ECJ ruling will see even greater take up. These tools have an almost bewildering array of toggles allowing the visitor to opt in to different sorts of cookies. Some website operators have these toggles set to “ON”, others have them “OFF”, whilst still others have a mix of “ON” and “OFF”. According to the ECJ, these should all be “OFF” by default. However, there is some doubt as to whether all non-essential cookies should be treated the same – some functional and performance are perhaps less intrusive than advertising/tracking cookies, and the UK’s ICO has hinted in its own cookie guidance that first-party analytics cookies that present low levels of intrusiveness and risk to individuals may not be high up on its list of priorities.
If there’s one regret about the ECJ judgment, it is that it didn’t consider the lawfulness of cookie walls. This is where the website operator makes cookie consent a pre-requisite for access. It is difficult to see how consent can be freely given if it is compulsory, but it may be that there are circumstances where this might make sense, for example, a paid platform where cookie consent is given in lieu of payment for access. Clarity in this area is much needed, so it’s a shame the ECJ didn’t cover this. I suppose
that’s the just way the cookie crumbles we can’t have it all.