What is the CJEU?
The CJEU is the Court of Justice of the European Union. According to the europa.eu, “The Court of Justice of the European Union (CJEU) interprets EU law to make sure it is applied in the same way in all EU countries, and settles legal disputes between national governments and EU institutions.
It can also, in certain circumstances, be used by individuals, companies or organisations to take action against an EU institution, if they feel it has somehow infringed their rights.
What was the ruling?
The CJEU ruled against the online gambling site, Planet49, and found:
- Requiring that users “un-check” the pre-ticked checkboxes is not a valid form of consent to the use of cookies as it’s not an “affirmative” action taken by the user.
- The affirmative action to consent to the use of cookies must be clear and specific. This likely means that having a button that conflates access to the site with consent to cookies (e.g., “Accept and Proceed to Site”) is not a valid form of consent.
This means that companies using ‘implied consent’ or similar tactics will likely need to reevaluate their approach and move toward “prior consent.”
What is prior consent?
Prior consent, also known as “opt-in” consent, means advertising and marketing cookies aren’t dropped unless the user has explicitly given permission for the website to do so. This varies from the “implied consent” so commonly found across the web that drops cookies on users and suggests that “by using the site, the user agrees to the use of cookies.”
What other implications does the CJEU decision have?
The decision also clarified some additional items, outlined on Twitter by Gabriela Zanfir-Fortuna, Senior Counsel to the Future of Privacy:
- Users need “clear and comprehensive” information on the consequences of consenting to the use of cookies, including how long the cookie will be stored and accessed (i.e., expiration date of cookies).
- The information stored on the cookie – or any tracker for that matter – does not have to contain “personal data” for it to be subject to ePrivacy Directive (ePD) and therefore GDPR. The intent of the law is to protect users from being identified without the tools necessary to consent to such actions.
What action should I take to align with the ruling?
If you are a Universal Consent Platform customer and have not implemented “prior consent,” please see this guide for instructions.
If you are using SiteNotice or are unsure of how to proceed, please contact your Customer Success Manager.
In the meantime, let us know if you have any other questions about this ruling and how we can help you and your organization stay compliant.