Europe’s top court has ruled that pre-checked consent chests for descending cookies are not legally valid.
Consent must be obtained prior to storing or accessing non-essential cookies, such as tracking cookies for targeted marketing. Consent cannot be shown or assumed.
It’s a decision that — at blow — plummets websites into legal hot water in Europe if their cookie notices don’t ask for acquiesce firstly. As many don’t, promoting not to gamble their ability to track consumers for ad targeting.
Now they could be risking a big fine under EU privacy principles if they don’t find valid permit for tracking.
— Lukasz Olejnik (@ lukOlejnik) October 1, 2019
Sites that have relied upon opting EU useds into ad-tracking cookies in the hopes they’ll merely click okay to determine the cookie flag go away are in for a inconsiderate awakening.
Or, to frame it a different way, the rule should put a stop to some, er,’ creative’ readings of relevant rules around cookies that manage to completely miss the point of the law…
at here refreshing Curia press release page& noticed their own non-compliant #cookie notice- place the absurdity on their cookie report sheet- looks like the Court are about to render their own site illegal wrt to pre-ticked cartons … a little embarrassing … #privacy #planet49 pic.twitter.com/ ewdEqQqrvb
— Alexander Hanff (@ alexanderhanff) October 1, 2019
The decision is also likely to influence the ongoing reform of ePrivacy rulers — which govern online tracking.
While the outcome of that very heavily lobbied section of legislation remains to be seen today’s rule is clearly a prevail for privacy.
Planet4 9 case
The backstory to today’s ruling is that a German court queried the CJEU for a decision in a case relating to a lottery website, Planet4 9, which had necessitated consumers to consent to the storage of cookies in order to play a promotional game.
In an earlier opinion an influential advisor to the court also took the view that affirmative action not simple inactivity must be necessary to constitute consent.
Today the CJEU concurred, handing down a final judgement which sees it plain that consent can’t be assumed — it requires an active opt-in from users.
In a punchily brief press release the court writes 😛 TAGEND
In today’s judgment, the Court decides that the permit which a website user must give to the storage of and be made available to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent.
That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from possible risks that hidden identifiers and other same inventions enter those users’ terminal gear without their knowledge.
The Court notes that consent must be specific so that the fact that a consumer adopts the button to participate in a promotional raffle is not sufficient for it to be concluded that the user validly demonstrated his or her consent to the storage of cookies.
Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third party may have access to those cookies.
So, to sum up, pre-checked consent chests( or cookie flags that say to you a cookie has already been lowered and pointlessly invite you to click’ ok ‘) aren’t valid under EU law.
Furthermore cookie consent can’t be bundled with another purpose( in the Planet4 9 bag the promotional gamble) — at least if that blurry signal is being used to stand for consent.
There’s also an interesting new requirement which gazes set to shrink the ability of service hustlers to obfuscate how persistently they’re tracking Internet users.
For consent to cookies to be legally valid the court now says the user must be provided with some specific information on the tracking, namely: How long the cookie will operate, and who their data will be shared with. So, er, awkward…
The most interesting thing is how the Court vindicates that info on cookie period/ those who can access should be provided. ePrivacy refers to data protection law on the material provided, but as ePrivacy is not ever about personal data, the info reqs in DP don’t ever fit
— Michael Veale (@ mikarv) October 1, 2019
What’s most interesting: sites must notify about the duration of cookie validity. This is interesting insight, and was not generally followed. Should be identical to’ Expires’ or’ Max-Age’ positioning when cookies are defined. Does it also apply to SameSite configuration? #GDPR #ePrivacy pic.twitter.com/ f55AtbqArb
— Lukasz Olejnik (@ lukOlejnik) October 1, 2019
” Extending information requirement to include cookie configuration items is an interesting twist that will provide more information to users ,” Dr. Lukasz Olejnik, an independent cybersecurity advisor and research associate at the Center for Technology and Global Affairs at Oxford University, told us.
” Sites will need to be wary to be sure that the user-facing textbook matches the actually worked evaluates of max-age or expires facets. It is also interesting to wonder if sites will want to provide same informed about other cookie aspects .”
Safe to say, there will be some long faces in the ad industry today.
” The Court has made clear that consent should ever be manifested in an active nature, and may not be presumed. Therefore, online operators are required to ensure that they do not collect consent by asking consumers to unclick a pre-formulated declaration of acquiesce ,” said Luca Tosoni, a research fellow in computers and law at the University of Oslo, too commenting on the court ruling.
As we’ve reported before very many sites and works in Europe have, at best, been frisking lip-service to EU cookie consent requirements — despite the onset of tighter rules coming into force last year for the purposes of the General Data Protection Regulation( GDPR ), which says that consent must be specific, informed and freely given to be a valid legal basis. And despite — more recently — further guidance from DPAs clarifying the rules around cookie consent.
So the CJEU ruling should face-lift a fair few foremen out of the sand.
” Before the entry into force of the GDPR, the conditions for consent were interpreted differently across Europe. Today’s judgment is important as it accompanies some precision on what should be considered valid consent under EU data protection law ,” Tosoni also told us, “says hes” expects the rule to result in changes to many cookie notifications.
” National courts and data protection experts across the EU will need to follow the Court’s interpretation when assessing whether controllers have validly find permission. In turn, this should lead to more harmonization in enforcement across Europe, in particular with regard to cookie notices. Thus, I would expect countless adventurers to change their non-compliant consents to conform with the decision .”
EU law on cookie agree dates back much more rapidly than the GDPR — to the prior Data Protection Directive and the still in force ePrivacy Directive — Article 5( 3) of which has indicated that for cookies to be used customers must give opt-in consent after being provided with clear and comprehensive datum( with only a limited exception for’ strictly necessary’ cookies ).
Although European legislators have been trying for years to agree on an update to the ePrivacy Directive.
A draft proposal for the purposes of an ePrivacy Regulation was presented by the Commission at the start of 2017. But arbitrations have been anything but smooth — with a offensive of lobbying from the adtech and telecoms industries propagandizing against a house requirement for opt-in consent to tracking.
The CJEU’s clarity that agree is required to store and access cookies propagandizes in the opposite direction. And that firm legal cable protecting individual privacy from background tracking engineerings should be harder for legislators to ignore.
” Today’s finding is likely to have a significant impact on the ongoing negotiations on the ePrivacy Regulation which is set to regulate cookie usage, such issues on which European legislators are struggling to find an agreement ,” Tosoni said, adding:” In the past, the Court’s rules have had an important impact on the development of the GDPR .”
In the meanwhile, the judgement should at least power some of the more cynic and/ or stupid cookie flags to be quietly replaced with something that at least < em> questions for consent.
That said, the rule does not resolve all the problems around cookie consent.
Specifically the court has not waded into the contentious pressured assent/ cookie wall issue. This is where a site necessitates consent to advertising cookies as the’ expenditure’ for accessing the sought for service, with the only other alternative being to leave.
Earlier this year the Dutch DPA saw cookie walls to be illegal. But the agency’s presentation is available on legal challenge. Simply the CJEU can have the final word.
In the Planet4 9 dispute the court sidestepped the questions — saying the referring law did not query it to rule on the question of” whether it is compatible with the requirement that consent be’ freely given’, within the meaning of Article 2( h) of Directive 95/46 and of Article 4( 11) and Article 7( 4) of Regulation 2016/679, for a user’s consent to the processing of his personal data for advertising intents to be a prerequisite to that user’s participation in a promotional raffle, as appears to be the case in the main proceedings “.
” In those circumstances, it is not appropriate for the Court to consider that question ,” it wrote.
Likely it’s doing so because another case is already set to consider that question. Tosoni says he expects the Orange Romania case — which is pending before special courts — to further clarify the requirements of valid assent in the context of it being’ freely given’.
” Some indecision on the requirements of valid permission remains. Surely, in today’s judgment, the Court has primarily clarified what constitutes unambiguous and specific agree, but the Court has, for example , not clarified what grade of autonomy a data subject should enjoy when choosing whether or not to give consent for the latter to be considered “freely given” ,” he said.
” Today’s arbitration is not accommodate an answer on the legality of cookie walls, which require consent to access the underlying service. The Court found that it was unable to address this item, as the relate German court have not been able to queried the ECJ to assess the legality of establishing participation in a lottery — the service at issue in the case — subject to giving advertising cookie consent. Further clarity on this issue may comes here the Orange Romania case, which is currently pending before the ECJ .”
IAB Europe response
Responding to the ruling the Interactive Advertising Bureau( IAB) Europe’s CEO Townsend Feehan told us: ” It’s interesting that the court are taking the view that the ePrivacy Directive provision appear to require users to be told how long a cookie will be functioning. That’s something that’s qualitatively a little brand-new .”
She likewise agreed the CJEU ruling will probably require some changes to some existing cookie permission notices, saying:” If now the court is taking the view that users have to have precise information about the persistence of a cookie that would definitely require changes to UIs .”
” The mind that you couldn’t have preticked cartons/ don’t constitute active consent is not really a surprise to anyone, and the idea that the ePrivacy Directive requirement applies to non-personal data as well as personal data is also not astounding ,” she also said, further claiming the IAB’s Transparency and Consent Framework( TCF) deters the use of pre-ticked boxes.
The TCF was introduced last year by the ad industry standards organization, ahead of GDPR, when the IAB made a big push to encourage publishers to use its framework to gather consents for processing pilgrims’ personal data in Europe.
However there are examples of this TCF including pre-ticked permits — such as in a widely used implementation developed by Quantcast. An adtech veteran whose business is, as it happens, currently under investigation by Ireland’s Data Protection Commission( which is looking into whether its processing and aggregating of personal data to profile Internet consumers for ad targeting are consistent with the GDPR ).
Asked whether the IAB will be advising its members to make changes to how they meet agrees in light of the CJEU ruling, Feehan said:” The recommendation until now has just been to comply with Article 13; the exposure requirements under the GDPR. Now that the court has taken a different look from the letter of the law that is something indeed we could make a recommendation. We have a working group that needs to look at whether their own policies ought to be amended in light of the decree — and so that process will play out in the next few weeks .”
She also said the IAB’s wider position on the ePrivacy Regulation remains unchanged for now — which is to say it doesn’t believe updated tracking powers are necessary.
” I don’t think this find will affect our general approach or stance on the proposed ePrivacy Regulation ,” she said.” Our view on ePrivacy Regulation is basically that it’s probably not necessary. That all one needs is the GDPR. If you look at the substantive scope of the ePrivacy Regulation in relation to the cookie supplyings … they’re completely redundant with what was adopted in the GDPR .”
Asked to respond to wider criticism of the adtech industry’s business prototype being based on consent-less tracking of Internet consumers Feehan rebuffed the criticism as” terminated nonsensical”, computing there’s nothing in the CJEU judgement to support such a view.
Today’s decision of the EU Court of Justice in the case #Planet49 is a message to the #adtech manufacture: your business pose based on unauthorized profiling, impelled moving and unconsented targeted ads is not valid under EU law #ePrivacy https :// t.co/ BDgRpB0hK 2
— Access Now (@ accessnow) October 1, 2019
” The judgement doesn’t tell us anything brand-new about the content of the law. The advertising industry needs to obey the law, the great majority of players in the digital advertising industry obey the law. And this find doesn’t tell us anything new as far as I’m concerned about the law … It does feed this perhaps more precise requirement with respect to the obligation to disclose the duration of persistence of cookies. But I don’t understand on what basis anyone would read today’s ruling and decide that based on that reading one is found that the business model is illegal. I don’t understand the logic of that .”
This report was updated with observe from the IAB Europe