ECJ Ruling on Cookie Laws Finds Most Websites Non-Compliant


The festive season is nearly upon us; and while you might be dreaming about cookies of the sugary and Christmas themed type, European judges have other ideas. The other type of cookie – and most likely the more frequent – are those used on websites to store small amounts of information on our local endpoints to assist with functionality.

Cookies have a number of uses. Some cookies save the contents of your shopping cart as you browse from page to page, some are used track which parts of a website you are most interested in, and others can be used to deliver advertisements on various platforms as you browse the internet.

[You may also be interested to read “Data Breaches and the GDPR – 1 Year Later”]

Privacy and Electronic Communications Regulations 2002


To date, the use of cookies in EU member states and EEA countries have been regulated by the Privacy and Electronic Communications Regulations (PECR) of 2002, which required three things to be true for the lawful use of cookies on websites:

  1. Get consent for the use of cookies.
  2. Explain to users what cookies are in use on the website.
  3. Explain what each cookie does.

Since 2003, interpretation of this law has been those banners which you probably encounter on each site you visit warning you that cookies are in use, with an accept or okay button used to dismiss the banner from view.

In this scenario, cookies are used as soon as the user access the website, with the banner functioning as informational only. The only way to avoid those cookies is to not access the site at all.


European Court of Justice Rules on Active Consent for Non-Functional Cookies


On the 1st of October 2019, the European Court of Justice (ECJ) ruled on a year-long case against Planet49 GmbH by the German Federation of Consumer Organisations, against the use of assumptive consent for all non-functional cookies – otherwise known as a pre-ticked checkbox.

This ruling means that only active consent from the user can constitute lawful consent, throwing the current cookie banner format norm into the bin of non-compliance. The ECJ has taken exception to those cookies which must be deployed for proper function of the website. Going back to our earlier example, this would include cookies for technologies like shopping baskets, but those cookies used for tracking and marketing now require active consent.

In essence, cookies that are deployed at the point of website access with a subsequent banner explaining that cookies are in use must be changed so that only functional cookies are deployed upon website access. All other cookies can only be deployed when a banner-based accept button is pressed by the user.


Not All Member States are Equal


What is interesting about this ruling is that it is based on the PECR directive of 2002, which has not been fully implemented in all EU member states. This means the ruling from the ECJ does not directly apply in Germany, Czech Republic and Estonia, but it does in the UK.

This ruling is unlikely to be welcomed by website administrators and marketers who will see this as an attack on targeted-advertising and website analytics. After all, it is very unlikely that someone will give consent to non-functional cookies, especially those related to tracking.

In a world of the GDPR restricting outbound marketing, and now rulings on the PECR making it more difficult to create trackable inbound marketing campaigns, businesses will be keen to see what is in store for them with the updated PECR due in 2020.

[You may also like “UK’s Top 4 Regulations Overlap“]