At the beginning of October, the European Court of Justice made a ruling in case Planet49, where the Court stated that consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked box which that user must deselect to refuse his or her consent.
The Court found that consent has to be specific, meaning that the user must understand what he or she exactly agrees to. It is important to keep in mind that different processing purposes should not be bundled in a consent. In the Planet49 case, Court decided that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.
The website owner must provide information that explains the purposes for the use of cookies and a separate consent must be obtained for different types of cookies. Thus, for example, the user should have the option to enable analytical cookies, but to disable advertising cookies.
The Court noted that the information provided when asking for consent must enable the user to understand the implications of such consent and that the information must enable the user to understand how cookies actually work.
Furthermore, according to the Court, the information that the website owner must give to a user should include the duration of the operation of cookies and whether or not third parties may have access to those cookies.
The Court’s position is also supported by a recent decision of the Spanish data protection authority to fine Vueling Airlines with 18,000 EUR for failing to provide users with sufficient information about cookies and to obtain a valid consent to deploy cookies.
Vueling’s website cookie banner implied the user’s consent for the deployment of cookies by the user’s continued use of the website. Such consent is neither informed nor active and does not meet the requirements of the GDPR.
The requirement of consent for cookies is valid, no matter whether the information constitutes personal data or not. No consent is required for technical cookies (which are necessary for the user to navigate the site and to use the main features of the site) and for cookies that are required to provide a service that the user has explicitly requested (e.g to fill a shopping cart).
Other cookies may only be deployed after consent has been given. Every time the user visits the website, he or she must be provided with the ability to revoke his or her consent for the use of cookies. The website owner must also be ready to prove that consent has been lawfully gained.
Examples of cookie banners
The consent given with such a banner needs an active click by the user and gives the opportunity to deny cookies, but is not transparent enough and does not give the user a free choice to decide which cookies he or she wants to have deployed.
Different cookies with different purposes must get separate consent. The cookie notice that the banner should indicate to, must contain information about whether third parties get access to cookies and the duration of cookies.
Although this cookie banner explains the purpose of cookies, such implied consent is not valid. The consent must be given by an active action by the user (such as ticking a box).
This banner is transparent for the user and the consent given is active and informed. The consent is given for different types of cookies. Technical cookies may be pre-ticked since they do not need consent. Other cookies must need active consent (the box may not be pre-ticked).
