This means consent requires an active opt-in.
CJEU’s ruling comes as part of a case against the lottery website, Planet49, which asked users to give consent for cookies in order for them to play a promotional game (bundling cookie consent with another purpose).
Isn’t this already the case?
You might assume that explicit consent is already required under GDPR, which states that when consent is used as legal basis to process personal data it must be ‘freely given, specific, and informed’. However, the majority of companies seem to be skirting around this, perhaps fearful of the impact on tracking of their users for advertising and analytics. Confusion is amplified by the fact that the GDPR is supplemented by the ePrivacy Directive (or ‘cookie law’).
GDPR’s 88 pages only directly refer to cookies once, effectively stating that companies have a right to process their users’ data as long as they receive consent or have a legitimate interest. In a recent paper, the ICO stated that: “Discussions with IAB and IAB Europe in August 2018 indicated that a number of TCF participants were indeed relying on legitimate interests to set cookies.”
Meanwhile, the ePrivacy Directive (which pre-dates GDPR) states that websites must receive users’ consent before the use of cookies – with the exception of ‘strictly necessary’ cookies. The update to the ePrivacy Directive (which is known as the ePrivacy Regulation) is still ongoing after heavy pushback from adtech and telecoms companies.
Now, CJEU’s recent ruling is likely to inform the new ePrivacy rules, also serving a wake-up call for websites currently flouting the rules around cookie laws.
What are websites currently doing?
A recent study by researchers from the University of Michigan and Ruhr-University Bochum in Germany found that 86% of cookie consent notices (out of 5,000 analysed) offered no options other than a confirmation button. More often than not, these buttons do not actually serve any purpose (as they do not actively ask for consent).
The study also found widespread manipulation of the current system, with 57% of cookie consent notices using ‘dark pattern’ techniques to nudge users into giving consent. For example, by making the ‘more options’ button less visible and highlighting the ‘agree’ button.
Similarly, only 39% of notices mentioned the exact purpose for the data collection, and only 21% stated who can actually access the data.
Overall, the study concluded that if cookie notices were actually compliant with the EU’s existing privacy laws, only a small percentage of consumers would give consent. This is because the lack of choice and absence of information nudges consumers to click ‘OK’ without much consideration. In contrast, the more choices are offered, the more consumers are likely to decline their consent. This highlights why companies are reluctant to be more transparent; largely out of fear that consumers will opt out.
What about cookie walls?
Another area of confusion for consumers is ‘cookie walls’, which is where a user is declined access to a website if they do not give consent to cookie data being tracked. The data is effectively given in ‘exchange’ for content.
As a result, many consumers will automatically agree just to be able to gain access (even if they wouldn’t otherwise) – as well as agree in all instances due to the assumption that website policies are likely to be the same or similar.
Earlier this year, however, the Dutch Data Protection Agency concluded that cookie walls are not complaint with GDPR, stating that “permission is not ‘free’ if someone has no real or free choice. Or if the person cannot refuse giving permission without adverse consequences.” In most cases, the consequences would be refusal to enter a site.
This conclusion is certainly positive, but the DPA can be overruled by the CJEU, and therefore be subject to legal challenge. In its recent ruling, the CJEU did not come to any conclusion on cookie walls, stating that “further clarity may come from the Orange Romania case”, which is also pending in the European Court of Justice.
Transparency also a stipulation
Not only did CJEU’s recent ruling stipulate the need for explicit consent, but also that websites must state specific information about the cookie in order for it to be valid. This means providing information on the duration of the cookie, and who will have access to the data that is being tracked.
This is certainly the most surprising element of the ruling, and the part that is likely to prompt many within the industry to change their approach.
Alongside changing the way consent is given, it will also require website operators to pro-actively change user interface text to reflect expiration dates. Essentially, there will be no way to hide or obscure how persistently they are tracking users, which throws up another issue that many consumers are likely to be unaware of.
Thanks to CJEU’s ruling, greater compliance certainly looks to be on the way. For publishers and advertisers, it remains to be seen what the impact will truly be. However, it could be wise to look beyond basic cookie data in order to identify and target the most relevant consumers (and ensure regulation compliance).
Comments