The CMDS Blog
Published in

The CMDS Blog

Who Regulates Our Cookies? Sometimes No One Knows

Image via

By Zsuzsa Detrekői

A long-awaited ePrivacy Regulation, yet to be approved by the EU, is expected to sort out how cookies are regulated. But a decision of Europe’s court of justice last fall is already changing the rules on handling website cookies.

When Europe’s personal data protection law was approved four years ago, many expected the EU to also adopt a set of rules on online privacy. Four years later, mandarins in Brussels are still scrambling to come up with an acceptable version of the ePrivacy Regulation.

But while EU it’s still scratching its head over online privacy rules, a decision last October by the Court of Justice of the European Union (CJEU) is providing some needed guidance on how cookies are stored and accessed by websites.

More Than Ticking Boxes

The CJEU’s decision is based on a case dating back to 2013, referred to a preliminary ruling by the German Federal Court of Justice. The case involved a lottery organized by Planet49 GmbH, a Germany-incorporated online gaming company. To enter the lottery, in addition to filling in some personal information, users were presented with two pre-ticked checkboxes accompanied by explanatory texts. The first checkbox required users to agree to be contacted by other firms for promotional offers whereas the second one required users to consent to the installation of cookies on their device. In order to participate in the lottery, the first checkbox needed to stay ticked.

According to the CJEU, “a pre-checked checkbox which that user must deselect to refuse his or her consent” is not considered consent for the storage of and access to cookies on the user’s device regardless of whether “the information stored or accessed on the user’s equipment is personal data.”

The court also noted that consent must be specific. Selecting the button to participate in a promotional lottery is not sufficient to conclude that the user consented to the storage of cookies. According to the court, websites must inform users about how long they will use the cookies and whether third-parties may have access to those cookies.

In brief, the CJEU told websites that, to use cookies, active consent is required in the form of a statement or through clear affirmative action.

A Moving Target?

Many of the issues addressed in the CJEU’s ruling are likely to be covered by the ePrivacy Regulation, a planned EU law aimed at regulating cookies, direct marketing and confidentiality of communications. The regulation was expected to be adopted in 2016 along with the General Data Protection Regulation (GDPR), Europe’s main law covering personal data. However, negotiations stumbled over various issues, mostly related to confidentiality of communications, which delayed the adoption of the law to this day.

Although the text of the proposed regulation is constantly changing, the main idea of active consent from end-users for web cookies (those small pieces of data stored on users’ computers to help websites remember stateful information) seems to stay intact. On the other hand, the list of exceptions constantly changes. In one of the recent versions, for example, authentication session cookies and/or cookies used to remember items selected by the end-user and placed in shopping baskets are exempt from consent.

The ePrivacy Directive of 2002, which is expected to be replaced by the upcoming ePrivacy Regulation, required an opt-out solution besides clear and comprehensive information about, among other things, the purpose of processing the data. According to the directive, “users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.”

Another EU law, the Directive 2009/136/EC on users’ rights online, amended the ePrivacy Directive, replacing the right to refuse with “consent.” As a result, users’ consent could no longer be presumed. The amended law offered the possibility to give consent through a browser “where it is technically possible and effective.” That meant in practice that users could block cookies through the browser, basically opting out from installing future cookies.

Due to the obscurity of legal requirements though, various EU member states interpreted differently the necessity of consent for cookies. Some countries understood that end-users should opt in (meaning to explicitly give consent) for cookies while others supported an opt-out solution (giving users the possibility to block installation of cookies through the browser). As a result, the application of the rules on cookie consent was marred by chaos.

A series of regulations, corporate decisions and legal provisions have further complicated matters.

In 2015, Google required users of the company’s ad sales program AdSense (which are basically all websites) that had visitors from EU countries to follow EU regulations by giving visitors information about how their cookies were used and obtaining consent for cookie usage from users. Consequently, most websites started to provide some kind of pop-up notice about cookies and an “OK” button, without any real possibility to decline consent.

Apart from the lack of rules on cookies, GDPR introduced a requirement for websites to get users’ explicit consent for data processing, the types of accepted consent excluding “silence, pre-ticked boxes or inactivity.”

In 2019, data protection authorities from the U.K., France, Germany and Spain published guides on the use of cookies and other internet tracking technologies. All of them agreed on the need for active consent for data processing, arguing that a user continuing to browse a website does not amount to user consent.

Money for Cookies

Now, the CJEU’s decision changes to some extent the rules of the game. Some of the requests put forward in the court ruling have not been thoroughly followed by some websites. Since GDPR took effect in 2018, websites have created a myriad of forms to require active consent from users; but rarely have they included information about the duration involved in the use of cookies.

Nevertheless, after the October court decision, national authorities began to impose for the first time cookie-related fines.

The Spanish Data Protection Authority imposed a fine of €30,000 on a website that failed to give users the possibility of giving a granular consent as users could only either reject all cookies or enable all kinds of cookies. They were not offered the possibility to choose among them. In a separate development, the Belgian Data Protection Authority imposed a fine worth 1% of the annual turnover of a company that failed to act in compliance with cookie rules in spite of a series of corrective actions undertaken by the company.

Following the CJEU’s decision, websites will have to reevaluate and update their cookie consent practices. Not doing so might have unwanted repercussions.

Zsuzsa Detrekői is a TMT lawyer and the former general counsel of a major Hungarian online content provider. Currently she is legal counsel of a major ISP in Hungary. She also provides legal support for the Association of Hungarian Content Providers. Her research area is online content and internet related regulations about what she wrote her thesis on and achieved PhD in 2016. She is a Fellow at the Center for Media, Data and Society.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Center for Media, Data and Society

Center for Media, Data and Society

Research center for the study of media, communication, and information policy and its impact on society and practice.