Clarification on Consent to use of Cookies

In a new decision (case C673/17), the CJEU clarified an essential issue for website operators. The decision, states that a pre-ticked checkbox does not constitute effective consent to the legitimate use of cookies. This also applies to the use of cookies that do not process personal data. Moreover, it must be assumed that the frequently used banners, which simply can be clicked away or are left standing while the website is are already processing data at this point in time, do not meet the necessary requirements for an effective consent either. Data processing is only allowed following a clear and active behaviour on the part of a website user, which expresses his or her consent to the data processing. From a technical point of view, it will now also be necessary to ensure that no data is in fact collected in cases where consent is refused, which is often not the case in practice at present.

In the decision’s reasoning, the CREU followed the view of the Article 29 Working Party, which has now been replaced by the European Data Protection Board. It states that a user must be expected to behave actively and not passively if the normative provision requires the user to give ‘consent’. Consent given through a preselected checkbox does not imply any active behavior on the part of the user of a website.

This will make it necessary for many website operators to change their existing cookie banners. The cookie banners known to all internet users, which make visitors to the website aware that a particular website uses cookies but at the same time does not give them a choice, should therefore soon be a thing of the past in the EU. In addition to a link to the relevant data protection declaration of the website operator, it is now clear that the cookie banner always requires active consent. The data protection declaration must provide the visitor with clear and comprehensive information so as to enable him or her to easily determine the consequences of any consent given and to guarantee that he or she provides consent in full knowledge of the facts. Cookies may not collect any visitor data before such consent has been given.

It is questionable what impact this CJEU ruling will have on the planned e-privacy regulation. The previous draft provides that consent may also be given, as far as technically possible and feasible, through the appropriate technical settings of software which enables access to the Internet (i.e. the Internet browser).

It should also be mentioned that the CJEU expressly did not have to deal with the “prohibition of coupling” and therefore made no statement on it. The prohibition of coupling prohibits making the performance of a contract, including the provision of a service, dependent on the consent to the processing of personal data, insofar as this data is not necessary for the performance of the contract. This would be the case, for example, if a website is made inaccessible to users who do not consent to the processing of their personal data. It is therefore currently not clarified whether such a coupling would be permissible.