Is your use of website cookies currently lawful?

A person working at a laptop.
Photo by Glenn Carstens-Peters.

Cookies and Cookie statements have become second nature in this current digital age. Unfortunately, a ruling from the Court of Justice for the European Union (CJEU) in October of 2019 has meant that many companies have been breaking the law for the last seven months. These seemingly harmless files have been at the centre of a major court ruling that has so far slipped under the radar for many corporations. The new ruling clarifies how cookies should be managed and the subsequent impact on cookie statements. As a result, if you have not reviewed your cookie policy since October of 2019, you may no longer be operating under the law.

The Planet49 Case

The reason behind all this involves a German lottery service called Planet49 GmBH. In order to enter the lottery, Planet49 presented the user with two checkboxes. The first one, unchecked, requested consent for promotional information to be sent to the user by post. The second, pre-checked, asked data subjects to consent to the use of cookies from a third-party web analytics firm.

To enter the lottery, users were forced to consent to being sent promotional information and the lottery terms and conditions stated that users could opt-out of the use of third party cookies if they manually unchecked the box.

The Ruling

A German federal consumer rights group (Bundesverband der Verbraucherzentralen) believed that the requested declarations of consent by Planet49 did not satisfy the relevant requirements of the German data protection laws. As a result the CJEU made the following ruling:

  1. A pre-checked box would not offer consent that was legal under the e-Privacy Directive and the GDPR. The GDPR states that pre-checked boxes or indeed inactivity should not be considered or assumed as valid consent. A positive affirmative action by the data subject is needed.
  2. It does not matter what information a website cookie contains; all website cookies are considered as part of a person’s ‘privacy sphere’ whilst online; therefore, all website cookies, regardless of function, are classed as personal data.
  3. Website users must be provided with information on the duration of cookies and whether third parties have access to them.

This clarification by the CJEU invalidated a lot of existing cookie statements. If you have not checked your cookie statement since October 2019, we suggest that you research to ensure that your organisation is managing cookies in a legal fashion. To find out how Tacita can help you to remain GDPR compliant, please get in contact with a member of our team using the forms below.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: