Skip to main content

Ruling from Europe’s High Court: “Active” Consent Required for Cookies

The Court of Justice of the European Union (CJEU) – the European Union’s equivalent to the US Supreme Court – has issued a very important ruling with respect to cookie compliance that may require re-evaluation of your cookie consent practices if your website is available to EU users.   The bottom line:  those pre-ticked boxes for “consent” to the use of cookies are not valid means to obtain consent.   Further, if your site utilizes a “cookie banner” that basically says “by using this website you agree to our use of cookies as described in our Cookie Policy,” that will also need to be revamped.   Consent may not be implied or assumed according to the CJEU.  Only express consent to the setting of tracking cookies will be considered valid, and the disclosure and consent must be obtained before any cookies are set.

Unusually for the CJEU, the decision is straight-forward with little ambiguity.

The opinion has four key holdings:

  • Pre-ticked checkboxes do not constitute valid consent.   Users must actively consent to the use of cookies; a user that remains passive does not provide a valid consent.  Consent must be explicit and not implied.   According to the court, with any pre-ticked checkbox (an “opt-out”), it is impossible to determine objectively whether a user has given consent.  
  • Consents for different processing activities must be separate.  Consent to cookies must be separate from consent for other processing activities.   You can’t “bundle” cookie consent with consent to a privacy policy.
  • The consent requirement of the GDPR applies to the use of cookies whether or not the cookies are personal data.  According to the CJEU, there is no difference whether the information stored or accessed through cookies constitutes personal data.  The consent requirements apply to the storing or accessing of information on users’ devices via cookies or other similar technologies (pixels, other tracking tech..) regardless of whether they involve personal data.  
  • Valid consent requires clear and comprehensive information.  The CJEU says that users must be able to understand what their consent covers, and in particular the consequences of any consent they may grant.  Companies must provide clear, comprehensive, and unambiguous information to users, in particular on the lifespan of the cookies and the identity of the third parties that gain access to the cookies (and data collected through them).   The presentation of a banner at the bottom of a webpage, even with an active link to a “Cookie Policy” is unlikely to be considered providing clear and unambiguous information, particularly if an “Accept Cookies” button is presented without required disclosure.  

Here are some immediate takeaways from the CJEU’s holding:

  • Review your cookie “acceptance” mechanism.   Even third party “preference centers” allow for pre-selection of “accept” or “active” buttons with respect to certain types of cookies.   The court said “requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent …..By contrast, requiring a user to tick a box makes such an assertion far more probable.”   Also review the acceptance mechanism to ensure that the timing is appropriate and no cookies are dropped before a user makes a choice.
  • Review your cookie statement or cookie policy.   Does it describe what cookies are being set and how those cookies are then used for tracking (or other purposes)?  Does it describe what third parties are setting cookies or will be passed cookie information?  Does it describe the duration of the validity of the cookies?
  • Do you try to “bundle” cookie consent with other “consents” or other actions? 

To avoid potential audits or investigation by EU data protection authorities and potential fines under the GDPR, review and remediation should be undertaken as soon as possible.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.