“We use cookies. We require your consent to comply with the new privacy policy“.
– ECJ substantiates requirements for cookie declarations –
What exactly is the subject?
On 1 October 2019, the European Court of Justice (ECJ) issued a landmark ruling specifying the legal requirements to be met when cookies are used on websites on the Internet (C-673/17).
As is well known, a website that is operated in the European Union or is addressed – also – to EU citizens must meet the requirements of the Basic Data Protection Regulation (DS-GVO). Accordingly, the operator is obliged to inform about the use of cookies in his data protection declaration (§§ 13, 14 DS-GVO). However, it has so far been controversial whether users are informed about the use of cookies at the beginning of their visit to the website by means of a declaration in the form of a pop-up window, a banner or in some other way and whether they must actively consent to the use before their user data is recorded or whether the operator may also use cookies without consent.
The European Court of Justice (ECJ) has now given a direction in its decision and decided that at least when non-technical cookies are used, the active consent of the user is required at the beginning of the visit to the website. The ECJ makes it clear that it does not matter whether the cookies collect personal data or not.
The existence of non-technical cookies alone is decisive for the requirement of consent.
Non-technical cookies are those that not only serve the functionality of the website, but also collect other data. These include, for example, tracking cookies, targeting cookies and cookies from social media websites.
Cookies that are absolutely necessary exclusively for the function of a website – so-called technically necessary cookies such as session cookies – are therefore not affected by the decision.
The ECJ understands active consent only as consent given by the user through active and conscious action. A preset checkbox within a cookie declaration, which appears as a pop-up window or banner (so-called “opt-out” solution), is therefore no longer sufficient after the ECJ ruling.
What do you have to do now?
We advise you to first check whether you use non-technical cookies on your website. If this is the case, you must inform the user of the type of cookies used and give them the opportunity to decide themselves via click boxes which cookies they agree to (so-called “opt-in” solution).
In practice, therefore, so-called “Consent Management Providers” (“CMP”) are increasingly being used where the user can individually consent to different types of cookies. For this purpose, a pop-up window appears on the website during the first visit with the information that and which data is collected. Here the user has the option of specifying which cookies he or she wants to allow on future visits. In addition, the user can consent to various processing purposes.