New ECJ ruling – is it time to review your use of cookies and your cookie policy?

An important aspect of the EU data protection and e-privacy regime has been clarified in a recent European Court of Justice (ECJ) ruling concerning the transparency and storage of online cookies.

A cookie is defined as a small text file which sits on a user’s device or browser and assists with information flow and functionality.

In the case of Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände, online gaming company Planet49 GmbH used a pre-checked tick box in a lottery competition as a form of consent to the installation of cookies on users’ devices. The box was already ticked on the competition page forcing users to unselect the tick box if they refused their consent to storing cookies.

The ECJ questioned whether collecting consent in this fashion was valid. It considered numerous issues and the key points found were:

  • consent must be obtained through active behaviour by a web user and that a pre-ticked box does not mean valid consent. This means users must actively give their consent (eg tick the box).
  • information on cookies, including the duration for which they are held, and whether any third parties have access to them, must be disclosed to web users.
  • consent to store and process cookies is not restricted to cookies only containing personal data.

    This recent ruling not only affects European websites but also the operators of non-EU websites. Assuming those websites tend to set cookies on users’ devices wherever in the world those devices are located, then if the organisation setting them is using them to build customer profiles, it will be subject to the GDPR in respect of the data it collects about individuals in the EEA.

    Is it time to review your use of cookies and your cookie policy to ensure that your website and marketing processes comply? Failure to do so can result in a hefty fine.

    We have data protection experts who can advise your organisation and staff on all things concerning the General Data Protection Regulation (GDPR). From GDPR audits and advice to training, as well as Article 27 EU and UK Representation services, we can help you irrespective of where you are located in the world. Contact Kym Fletcher.