On October 1st, the European Court of Justice handed down a ruling that could have a major impact on the design of the “cookie banners” widely used on the Internet.
Although the European Court of Justice was not actually considering the classic “cookie banner”, the ruling nevertheless makes statements which are significant to their practical use.
How explicit must a consent be?
Specifically, the judgment dealt with the question of how explicit consents must be on the Internet. The answer provided by the European Court of Justice: So explicit that a pre-checked box is not sufficient.
What does this mean for cookie banners?
In the past, our recommendation for the design of legally effective cookie banners was essentially as follows:
In order to obtain effective consent, it is advisable to set up a banner in which the user is not only informed about the use of tracking mechanisms and data processing requiring consent, but also has the actual choice of “agreeing” or “disagreeing”.
The most legally compliant option is to use a banner which, in its initial settings, technically prevents any tracking when accessing the website. This is also expressly required by supervisory authorities.
For example, such a banner can be displayed as an HTML element and usually consists of an overview of all processing operations requiring consent. In addition to cookies such processing operations also include pixel-code, browser fingerprints, etc.
The banner should also reflect the essential elements of the consent (e.g. involved actors and their functions), but can also refer to the privacy statement for more details. [Note: The ECJ has now also clarified that the duration of the storage of cookies should be indicated. Overall, the information must be provided as required by Art. 13 GDPR.]
Ideally, the banner will also allow the selection or deselection of individual data processing operations. If several setting options are available, the most data protection-friendly option should be preset or at the very least the ability to make a flexible selection should be offered.
Tracking is not activated until the user has given his consent(s) by an active action, e.g. by explicitly clicking on the “Agree” button or a similar phrase. A click on “disagree” or a similar phrase or no interaction at all with the banner, on the other hand, deactivates tracking without preventing the website visitor from visiting the website.
It must be possible to call up the data protection policy without providing consent.
The banner may not impede access to the imprint or the data protection policy or cover the corresponding links.
Nevertheless, there are many banners on the Internet where the continued use of the website (depending on the settings: clicking on a link on the page, scrolling, updating the page, etc.) is interpreted as the implied consent of the website visitor.
Such an “implied consent” – as we have stated in the past – is not effective according to the current ECJ ruling.
When is consent actually required?
With regard to tracking for advertising purposes (remarketing, conversion tracking, Facebook pixels, etc.), the ECJ ruling makes clear, from our point of view, the requirement that effective consent must be obtained. This is consistent with the previous view of the German supervisory authorities. Here, cookie banners which meet the requirements, set out above, must be utilized.
If you are using a cookie banner, check its effectiveness using the specifications provided above.
If you carry out a visitor measurement on the basis of Art. 6 para. 1 lit f GDPR – i.e. without consent – the risk has increased. If you want to be on the safe side, use an effective cookie banner here as well.