The perplexing question of what U.S. companies must do to comply with EU “cookie” law became slightly more clear with the recent decision of the European Court of Justice (CJEU) in Planet49 GmbH, but numerous questions still remain. A main source of confusion about cookies is the interplay between two EU privacy laws, the ePrivacy Directive and the GDPR. The former governs, among other things, the placement of cookies and marketing pixels on the browsers of website visitors and the latter governs the subsequent processing of personal data, which in many cases includes cookies. Some cookies, in other words, are subject to the ePrivacy Directive but not the GDPR. Another complication is that the ePrivacy Directive does not have an extra-territorial effect whereas the GDPR does have such an effect.
Many privacy professionals had hoped that the CJEU’s ruling in Planet49 would provide some much-needed clarity to a muddled legal picture. And it does, sort of.
The case involved participation in a lottery organized by Planet49 GmbH, an online gaming company. To enter the lottery, internet users were prompted to enter their personal information, then presented with two checkboxes. The first required the user to agree to be contacted by other businesses for promotional offers. The second checkbox, which contained a pre-ticked box, required the user to consent to cookies. In order to participate in the lottery, the first checkbox needed to be ticked.
The first question referred to the CJEU concerned whether the use of a pre-ticked box was sufficient to obtain valid consent for placing cookies on a user’s device. The second question referred to the CJEU was whether service providers need to give users information specifically about the duration of the operation of the cookies and access by third parties.
How Planet49 Establishes Some Clear Guidelines
The CJEU’s recent ruling in Planet49 helps to clarify some of the rules governing the placement of cookies. First, the CJEU ruled that Planet49’s use of pre-ticked boxes is not a sufficient basis to establish consent. The writing had been on the wall for the use of pre-ticked boxes even before the GDPR became effective like other references, so this part of the ruling is not surprising.
What makes the ruling significant is the Court’s finding that consent requires some action on the part of the user. Although the ruling technically addresses consent under the ePrivacy Directive, the CJEU’s ruling suggests that inferring consent from passive activities, such as the continued browsing of a website, might not meet the GDPR’s more exacting “affirmative consent” standard. This finding aligns with recent guidance from the ICO, CNIL and the German Data Protection Authority (DPA), who have all issued guidance aligning consent under the ePrivacy Directive with the GDPR standard and have explicitly stated that the continued browsing of a website alone does not constitute consent. The CJEU did not go quite this far, but the days may be numbered for cookie banners that infer consent from continued browsing.
Second, the ruling makes clear that data controllers must gather consent for the placement of all non-essential cookies on a user’s device. This includes analytic cookies, which are commonly used by most companies with a website.
Lastly, the CJEU ruling requires that data controllers disclose the duration for cookie retention as well as the sharing of cookies with third parties in order to satisfy the ePrivacy Directive’s requirement that consent be “freely given specific and informed indication of the user’s wishes.” The ruling does not state what the maximum retention period for a cookie should be, but some EU regulators have suggested retention periods in recent guidance.
What the CJEU Ruling Doesn’t Resolve
For U.S. companies with physical operations in the EU, the CJEU ruling does not address a number of thorny issues. In particular, one open question is what, if any, user actions short of physically clicking an “Accept” button might constitute a valid cookie consent. While continued browsing might not be sufficient active to establish consent, would clicking out of a cookie banner?
The subsequent processing of tracking cookies for the placement of targeted ads is another issue that remains muddled in the wake of the CJEU opinion. The ICO has taken the position that a data controller cannot rely on legitimate interests as a basis for subsequent processing of cookies, particularly tracking cookies. The CNIL and the German DPA have not gone so far as the ICO and appear to leave open the possibility that legitimate interests may be permissible for subsequent processing of cookies.
For U.S. companies that don’t have an establishment in the EU, compliance is even more complicated insofar as these companies may be subject to the GDPR but not the ePrivacy Directive. The GDPR only governs the processing of cookies or other online identifiers that gather or contain personal information whereas the ePrivacy Directive covers the placement of any cookie or file on a user’s browser. Thus, for U.S. companies that don’t maintain an EU establishment, it remains unclear whether the guidance of EU data regulators regarding analytic cookies, for example, applies.
The bottom line is that for U.S. companies doing business in Europe, the CJEU’s recent ruling provides some important guardrails useful for fashioning cookie banners and policies, but numerous questions remain unresolved. Until an ePrivacy Regulation is released, U.S. companies will likely follow the proverbial herd, trying their best to hide in a crowd of other companies also struggling to understand where the lines lay.