On October 1st, the European Court of Justice handed down a ruling that could have a major impact on the design of the “cookie banners” widely used on the Internet.

Although the European Court of Justice was not actually considering the classic “cookie banner”, the ruling nevertheless makes statements which are significant to their practical use.

How explicit must a consent be?

Specifically, the judgment dealt with the question of how explicit consents must be on the Internet. The answer provided by the European Court of Justice: So explicit that a pre-checked box is not sufficient.

What does this mean for cookie banners?

In the past, our recommendation for the design of legally effective cookie banners was essentially as follows:

In order to obtain effective consent, it is advisable to set up a banner in which the user is not only informed about the use of tracking mechanisms and data processing requiring consent, but also has the actual choice of “agreeing” or “disagreeing”.

The most legally compliant option is to use a banner which, in its initial settings, technically prevents any tracking when accessing the website. This is also expressly required by supervisory authorities.

For example, such a banner can be displayed as an HTML element and usually consists of an overview of all processing operations requiring consent. In addition to cookies such processing operations also include pixel-code, browser fingerprints, etc.

The banner should also reflect the essential elements of the consent (e.g. involved actors and their functions), but can also refer to the privacy statement for more details. [Note: The ECJ has now also clarified that the duration of the storage of cookies should be indicated. Overall, the information must be provided as required by Art. 13 GDPR.]

Ideally, the banner will also allow the selection or deselection of individual data processing operations. If several setting options are available, the most data protection-friendly option should be preset or at the very least the ability to make a flexible selection should be offered.

Tracking is not activated until the user has given his consent(s) by an active action, e.g. by explicitly clicking on the “Agree” button or a similar phrase. A click on “disagree” or a similar phrase or no interaction at all with the banner, on the other hand, deactivates tracking without preventing the website visitor from visiting the website.

It must be possible to call up the data protection policy without providing consent.

Since a consent is revocable, the data protection policy must be adapted accordingly and the controller must offer the possibility of revocation. The possibility of revocation should also be possible via the banner, but a revocation via a link in the privacy policy would also be an option which is effective. In principle, the revocation must be as simple as the granting of consent. After the revocation, the visitor may no longer be tracked.

The banner may not impede access to the imprint or the data protection policy or cover the corresponding links.

Nevertheless, there are many banners on the Internet where the continued use of the website (depending on the settings: clicking on a link on the page, scrolling, updating the page, etc.) is interpreted as the implied consent of the website visitor.

Such an “implied consent” – as we have stated in the past – is not effective according to the current ECJ ruling.

When is consent actually required?

If one reads the ruling of the European Court of Justice, one could think at first glance that the European Court of Justice makes any form of the use of cookies subject to consent. In our opinion, however, this is not the case for technically necessary cookies, which are used neither for visitor measurement nor for advertising purposes.

With regard to tracking for advertising purposes (remarketing, conversion tracking, Facebook pixels, etc.), the ECJ ruling makes clear, from our point of view, the requirement that effective consent must be obtained. This is consistent with the previous view of the German supervisory authorities. Here, cookie banners which meet the requirements, set out above, must be utilized.

With regard to cookies used purely for visitor measurement, German supervisory authorities have up to now permitted a weighing of interests pursuant to Art. 6 para. 1 lit. f GDPR as a legal basis. Especially with regard to the use of software using minimal amounts of data (e.g. Matomo), a pure visitor measurement was conceivable in the past despite the use of cookies even without a cookie banner. From our point of view, this assessment reflected the interests of and in practice favored website operators who carried out a visitor measurement using minimal amounts of data, did not pass on data to third parties and only used the measurements to optimize their website. However, this position may now have been watered down by the ruling of the European Court of Justice. If you want to be sure, you should use a (effective) cookie banner here as well.

Conclusion:

If you are using a cookie banner, check its effectiveness using the specifications provided above.

If you carry out a visitor measurement on the basis of Art. 6 para. 1 lit f GDPR – i.e. without consent – the risk has increased. If you want to be on the safe side, use an effective cookie banner here as well.