It was already generally known or even feared, and now it’s official: The European Court of Justice (ECJ) has ruled that consent to cookies must be explicit (opt-in) and must not be pre-ticked as the default setting. Cookie banners, which only clarify that cookie are set and only offer an ‘OK’ button, are therefore not legal. The same applies to solutions in which the corresponding default selections are already ticked but could be removed by the user (opt-out).
According to the ECJ, ‘consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent’.
Data protection assessment of the ruling
According to today’s ruling by the ECJ, there is an urgent need for action for many website providers! A few points should be emphasized:
The ruling applies to all cookies. It does not matter whether they process personal data or not. The basic idea is that nothing may be stored on the user’s device without the user’s consent. This does not result from the original text of Directive 2002/58/EC, rather from its amendment in 2009. The decisive provision of Art. 5 Para. 3 Directive 2002/58/EC states:
‘Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing […].’
The ECJ makes it explicitly clear that the type of cookies involved does not matter. This ruling is therefore of considerable importance even beyond the scope of data protection law.
Technically, absolutely necessary cookies are still permitted. Art. 5(3) of Directive 2002/58/EC remains unchanged. This allows storage to take place where the sole purpose is to carry out the transmission of a message over an electronic communications network or where it is necessary for the service provider to be able to provide that service expressly requested by the subscriber or user.
The court does not expressly address the issue of coupling or the prohibition of coupling. The question as to whether consent cannot be provided in return in certain cases is thus not conclusively clarified.
Models in which a free service is remunerated with personal data are not off the table. The principle of ‘pay with your data instead of with money’ has in many cases already been considered possible by supervisory authorities, e.g. the Bavarian State Office for Data Protection Supervision (BayLDA). However, details must always be clarified on a case-by-case basis.
Conclusion: The ruling is similar to an anticipation of the ePrivacy Regulation.
The utilisation of cookies of any kind is only possible with express prior consent. This applies not only to cookies used for advertising purposes, but also to perform functions such as the storage of preferences (language, etc.), even if these are not personal cookies.
Consent must be based on sufficient information. In plain language: As with the information already required in the area of personal cookies, consent will have to be given for all cookies in the future.
Which cookies are deemed ‘technically essential’ still has to be determined. As always: Ask your – hopefully sufficiently qualified – Data Protection Officer!