Since the implementation of the GDPR in May 2018, not all its provisions have been made clear and some can still be interpreted in different ways. Exemplary court rulings are needed to establish legal interpretations for these in detail. Such decisions then serve as a guideline for further judgments and related issues.
What happened?
On 1 October 2019, the European Court of Justice issued a ruling binding on all member states: from now on, consent for cookies is mandatory for all website operators! This exemplary court decision improves the clarity of the interpretation of the GDPR. In light of this, we explain how you should handle the setting of cookies from now on and which of GDPR’s provisions are still unclear.
In the ruling, the European Court of Justice addresses the provider of a lottery. The lottery provider has a pre-ticked checkbox on the entry form to indicate that the user agrees to the use of cookies from different providers.
The court states the following:
- A pre-checked box does not constitute effective consent.
- The function duration must be specified for cookies.
What does that mean?
The judgment also affects all passive, purely informative cookie banners, which often only have an “OK” button and inform about the use of cookies. This is because the user must actively and specifically agree to the setting of cookies – merely stating that cookies are used is not enough. Also, the text “By using our website you agree to the use of cookies” is not sufficient. Although the judgment dealt specifically with cookies, it concerns any type of storage and reading of data on the user’s device. Cookies that are absolutely necessary for the operation of the website do not require active consent. For these, the user just needs to be informed.
What’s the next step?
The judgment is binding on national courts of the Member States. This means that the use of cookies requires the active consent of the visitor. The judgment is indicative and the first of its kind to contain a clear statement of consent for cookies. However, it leaves a number of points open:
- The exact difference between necessary cookies and other types of cookies.
- Whether tracking cookies are considered necessary cookies for aggregate analysis purposes or whether a legitimate interest in them can be asserted.
- Whether consent to categories of cookies is permitted as opposed to each individual cookie requiring permission.
We recommend the following until the new e-Privacy Regulation clarifies this or further court rulings are made:
- Divide cookies into the following categories:
- Marketing/Targeting Cookies (e.g. Facebook, LinkedIn, Google Ads)
- Performance/Analytics Cookies (e.g. Google Analytics, Matomo, Piwik, AT Internet)
- Functional cookies (e.g. Vimeo, debugging tools, chat widgets)
- Absolutely necessary cookies (e.g. shopping cart, storage of language selection, login status)
- All marketing/targeting cookies must be blocked by default and can only be set with the active consent of the user.
- For the remaining categories, there is a need, or at least a legitimate interest, to set them without active consent. However, you must inform your user’s about these cookies.
Attention: As soon as any of these cookies from the Functional or Performance categories are also used for Marketing purposes then explicit consent is required.
If you want to be on the safe side, block all cookies except those that are absolutely necessary for the operation of the website. However, you will then also lose information about how your website is used and where it needs to be optimized.
Even before the GDPR came into force, we pointed out in our article (How to make your website fit for the new EU data protection regulation) that you should use a cookie management solution to control the setting of individual cookies. We have implemented several dozen of these solutions and would be happy to advise you on creating yours.