As a result of the Plant 49 decision (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v Planet49 GmbH (Case C-673/17)) in the European Court of Justice (ECJ), businesses may need to make changes to their existing cookie banners, cookies consent notices, or the way in which they use cookies.
The Cookie Three C’s – Consent, Clear and Comprehensive information
The ECJ Planet 49 decision provides guidance and certainty about how consent for the use of cookies should be obtained from device users.
Under the E-Privacy Directive (2002/58/EC) website operators and other online providers that set cookies on user devices must (unless an exception applies) comply with the Cookie three C’s:
- obtain consent to the setting and use of non-essential cookies on the user’s device; and
- provide users with "clear and comprehensive information" about the purposes for which cookies are stored and accessed;
Consent
The General Data Protection Regulation’s (GDPR) introduced a higher standard of ‘consent’ with effect from 25 May 2018 which applies to cookies. Consent must be:
- freely given;
- specific;
- informed; and
- an unambiguous indication of agreement by clear affirmative action.
This definition of consent to cookies applies regardless of whether personal data is processed.
The decision clarifies that a website user’s consent to the use of cookies must be active and specific.
Consent to cookies cannot be inferred from the following:
- a website user continuing to use/browse a website;
- silence;
- the use of pre-ticked boxes or inactivity.
In order to be compliant, consent must be obtained separately from terms and conditions and before the cookie is set.
Clear and Comprehensive
Information on cookies must be in clear and plain language. Users must be told:
- how long each cookie will be stored on their device;
- the purpose of the cookie;
- whether third parties can set cookies;
- what third party cookies are set;
- who the third party setting the cookie is;
- whether third parties can access the data collected by the cookies on the website.
Users must be given information on how they can accept all/some or none of the cookies operating on the website and how they can change their user preferences.
This therefore covers non-essential cookies which may track a user’s behaviour online (targeted advertising) and where such tracking and use of cookies is set/provided by a third party, such as online advertising networks or social media platforms.
ICO guidance
The ICO Cookie guidance states that for consent to the use of cookies to be valid, there must be some kind of positive action by the website or service user (for example, by clicking "I Accept" on a cookie banner, clicking a link or by picking preferences on a settings list). However, the ICO makes clear that a consent mechanism that emphasises "agree" or "allow" over "reject" or "block" represents an approach that would be non-compliant.
Risks of non-compliance
The ICO has the ability to levy substantial fines for failure to comply with laws relating to cookies, including fines for failing to comply with the E-Privacy Directive of up to £500,000, and up to €20 million EUR or 4% of total worldwide annual turnover (whichever is the higher) for failing to comply with the GDPR and the Data Protection Act 2018.
If you would like any advice in relation to your cookies policy, your compliance with the E-Privacy Directive or the GDPR, please contact one of our lawyers on 0161 941 4000 and ask for our Corporate/Commercial department or email us.