The C-673/17 ruling by the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. (CJEU) clarified the way in which consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. for cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. (and data packets and web beacons) should be implemented within websites and Apps.
Even though the requirement for cookie consent relates to the Privacy and Electronic Communication Regulation (PECR), the level of consent required is dictated by the standards set out in the GDPR. This is because the GDPR takes precedence when there is conflict between the two.
This blog provides a brief outline of the ruling and The DPO Centre’s guidance on how it should be interpreted.
The Impact of the Ruling
The ruling confirms that consent must be identifiable, granular and provided through positive action.
Website visitors should be offered a choice between accepting essential and non-essential cookies.
Websites should not simply state that “cookies are used” and offer “OK” or “Close” buttons. Neither should they present pre-checked boxes accepting all cookies. These methods are no longer considered to meet the required standards.
Essential and Non–Essential Cookies
Google AnalyticsA tool of the Google platform, which can be used to track and report on traffic to a website. Cookies
There is still some confusion over Google Analytics cookies. Under PECR, analytics cookies are considered non-essential so require specific consent. However, the upcoming ePrivacy regulationA proposed regulation, currently under development, which will replace the ePrivacy Directive on which PECR is based., which will replace PECR, is likely to say (in simple terms) that they do not require specific consent.
DPO Centre Guidance
The DPO Centre therefore recommends that, to be compliant, your website cookie consent functionality should be as follows:
1. Upon initial entry to the site
2. If visitors click “Use Essential Cookies only”
3. If visitors click “Accept All”
The GDPR states that visitors must be able to be remove consent as easily as they give it.
If visitors do change their consent from “Accept all cookies” to “Use essential cookies only” then all existing, non-essential cookies must be removed or blocked. You are always free to repeat the consent request periodically and try to gain visitors’ full consent at a later date.
Ideally, consent should be renewed at least annually.
If you would like more assistance regarding cookies and consent, please contact us to find out how we can help.