Information about Cookies

by | Oct 10, 2019 | IT

It could be useful to review the disclaimer that those responsible for websites show on their home pages to provide information about the use of cookies to Internet users, as a result of the recent judgement of the Court of Justice of the European Union (CJEU) of 1 October 2019 on case C-673/17, to find out if it meets the requirements stipulated in the data protection regulations.

The Court of Justice ruled on relevant aspects concerning consent, data processing and the data controller’s duty to provide information about the use of cookies in order to respond to a preliminary ruling submitted by the German Supreme Court.

The issue that was dealt with in the dispute concerned the legality of obtaining consent for processing the data obtained and use of cookies on a website that organised a promotional game for the company Planet49.

In order to obtain a user’s consent, the website had two separate boxes with different informative texts. In the first box, which was not checked by default, it was explained that Internet users’ consent must be obtained for the purpose of the advertising that would be launched by certain companies and sponsors. In the second box, consent was obtained for the use of the web page analysis service and for installing cookies to analyse Internet users’ behaviour in order to send them advertisements based on their browsing habits. In this case, the box was previously checked.

Users could only take part in the game if they checked the first box but, obviously, they could uncheck the second box. However, this aspect raised doubts for the German Court regarding the validity of obtaining users’ consent and the content of the information so it submitted these questions to the Court of Justice.

The first question considered the validity of the consent obtained with a pre-checked box that Internet users had to unselect if they did not want to authorise the use of cookies. It was also asked whether or not the fact that the information processed did not constitute personal data would make any difference. The second question was related to the information that the data controller must provide to Internet users in order to obtain their consent.

Regarding the first question, the Court of Justice replied that Internet users’ behaviour must be active for them to be deemed to have granted their consent. What is interesting about this decision is that it shows the Regulation introduced stricter requirements by stipulating the need for specificity, which requires that the specific purposes of the processing must be disclosed for consent to be granted, repeating that the freely given, specific, informed and unambiguous wishes of the data subject are only deemed as expressed when there is clear affirmative action (Pº 61).

Another interesting aspect of the Judgement is that the CJEU considered the requirement to obtain consent does not depend on the type of data being processed. This means that it is irrelevant whether or not they are personal data because the requirements that must be met to obtain consent are the same (Pº 71).

Finally, the CJEU ruled that, in accordance with the Regulation, in order to ensure fair and transparent processing, the data controller must provide users with information relating to the period for which the personal data will be stored or at least the criteria used to determine that period; therefore, information must be provided about the duration of the operation of cookies and whether or not third parties may have access to such cookies (Pº. 79 and 81).

With the previous information, it only remains to review whether or not the disclaimer about the use of cookies on our website meets the requirements stipulated in the Regulation, as explained in this Judgement.

Carmenchu Buganza