Background
The C-673/17 ruling by the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) clarified the way in which consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. for cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. (and data packets and web beacons) should be implemented within websites and Apps.
Even though the requirement for cookie consent relates to the Privacy and Electronic Communication Regulation (PECR), the level of consent required is dictated by the standards set out in the GDPR. This is because the GDPR takes precedence when there is conflict between the two.
This blog provides a brief outline of the ruling and The DPO Centre’s guidance on how it should be interpreted.
The Impact of the Ruling
The ruling confirms that consent must be identifiable, granular and provided through positive action.
Website visitors should be offered a choice between accepting essential and non-essential cookiesCookies created by third parties and dropped on website users, for the purposes of analytics or advertisement tracking..
Websites should not simply state that “cookies are used” and offer “OK” or “Close” buttons. Neither should they present pre-checked boxes accepting all cookies. These methods are no longer considered to meet the required standards.
Essential and Non–Essential Cookies
Google AnalyticsA Google tool that can be used to track and report on traffic to a website. Cookies
There is still some confusion over Google Analytics cookies. Under PECR, analytics cookies are considered non-essential so require specific consent. However, the upcoming ePrivacy regulationA proposed regulation, currently under development, which will replace the ePrivacy Directive., which will replace PECR, is likely to say (in simple terms) that they do not require specific consent.
DPO Centre Guidance
The DPO Centre therefore recommends that, to be compliant, your website cookie consent functionality should be as follows:
1. Upon initial entry to the site
2. If visitors click “Use Essential Cookies only”
3. If visitors click “Accept All”
Updating consent
The GDPR states that visitors must be able to be remove consent as easily as they give it.
You must therefore offer visitors the ability to change their cookie consent preferences. This can be done from a link within your cookie policyA policy specifically addressing the type and usage of cookies used on a website. which brings up the same initial consent request message again.
If visitors do change their consent from “Accept all cookies” to “Use essential cookies only” then all existing, non-essential cookies must be removed or blocked. You are always free to repeat the consent request periodically and try to gain visitors’ full consent at a later date.
Ideally, consent should be renewed at least annually.
If you would like more assistance regarding cookies and consent, please contact us to find out how we can help.