Most websites are asking their users to consent to cookies with the following wording: “By continuing to use our site, you accept our use of cookies.” With GDPR the question arises, whether this kind of consent is still compliant.
1. Legal background
Cookies are admissible as long these are strictly necessary to provide the service. That derives from Art. 5 (3) directive 2002/58/EC – known as “ePrivacy directive”.1
E.g. a cookie for a shopping cart is necessary for the service of an online shop. The shopping cart provides the customer with the option to buy several items within one technical process. Without the cookie the customer would be forced to start the whole buying process for each item form zero.2
In contrast convenience cookies, marketing cookies and tracking cookies are not strictly necessary for the provision of the service. E.g., a tracking cookie which is permanently placed on the hardware device and follows the customer across all websites is not necessary for an online shop. Therefore, convenience cookies, marketing cookies and tracking cookies require the consent of the customer.
EPrivacy directive orginately referred to Data Protection Directive 95/46/EC on how to ask for consent according to Art. 2 (f).3 Data Protection Directive 95/46/EC is now replaced by GDPR. That leads to the question, whether the wording “By continuing to use our site, you accept our use of cookies.” is still admissible under GDPR.
2. Assessment
According to Art. 7 GDPR a consent shall be
-
freely given,
- by a clear confirmative action,4
-
without being conditional for personal data that is not necessary for the performance of the service contract.
First, the consent is not freely given since the user has no choice to use the service with or without the convenience cookie. The option for the customer is soley, “take the service with cookie or leave it”.
Second, the user is not able to express his will in case he refuses to consent to the cookie and at the same time likes to purchase goods from the online shop. Therefore, the online shop receives a confirmation from its customers which is ambiguous.
Third, the consent is conditional since the data which is being processed by the convenience cookie is not strictly necessary for the provision of the service. The provision of the service is possible without the implementation of the convenience cookie. Without convenience cookie the online shop is less user friendly. But the purchase of the items is still possible. Therefore, the convenience cookie is not strictly necessary to provide the service. It follows that the customer is forced to consent if he wants to purchase goods from the online-shop. Therefore, the consent is conditional.
In addition a seperate consent is neccessary for every single purpose of consent.5 E.g. the consent for a convenience cookie has to be seperated from a consent for a tracking cookie e.g. in a seperate tick-box.
3. Conclusion
The wording which is mentioned above represents a “pseudo-consent”. The user has no choice to use the online-shop without the cookie for convenience, marketing or tracking purposes. That approch is not in line with the aspect of selfdetermination, which is the essence of the Rigth to Data Protection.
In a similar case the German High Court (Bundesgerichtshof) asked the ECJ for a preliminary ruling on consent. The Court aked whether a consent with a pre-ticked box is admissible according to Art. 5 (3) ePrivacy Directive in connection with GDPR.6 The pre-ticked box is an opt-out instead of an clear confirmative action which requires an opt-in according to Recital 32 GDPR. Therefore, it is very likely that the ECJ dismisses this kind of consent. However, the ECJ may take this proceeding as a chance to clearify the requirements for consent according to GDPR in a broader sense.
1Amended by Article 2 (5) directive 2009/136/EC, 25th November 2009; https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:EN:PDF
2WP29, WP 194, Opinion 04/2012 on Cookie Consent Exemption, adopted on 7 June 2012, page 6; https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf
3Art. 2 (f) directive 2002/58/EC states: ”consent“ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32002L0058
4Recital 32 GDPR: „Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.“…
5Recital 32 GDPR: …„When the processing has multiple purposes, consent should be given for all of them.“…
6BGH I ZR 7/16, vom 5. Oktober 2017, http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&nr=80132&pos=0&anz=1