EU court opposes cookies by default - there should be no pre-checked checkboxes

In Europe, they decided that consent to the setting of cookies should be explicit and forbidden to pre-set the corresponding checkmarks on the banners. It is believed that the decision will complicate web surfing and will have far-reaching consequences in the legal field. We understand the situation.





Photos - Jade Wulfraat - Unsplash



What the court decided



In early October, the Court of Justice of the European Union ruled that on the sites you can’t use pre-filled check boxes that allow cookies to be set in users ’browsers. Otherwise, companies violate the requirements of ePrivacy Directive and GDPR, which oblige you to obtain explicit consent to the processing of PD.



In addition, owners of Internet resources were obliged to list the names of third-party companies that have access to personal data of visitors, and indicate the “lifetime” of cookies. The court also noted that the actions performed by the user on the site (for example, downloading a file) cannot be regarded as consent to the processing of PD.


The case in which the decision was made was opened in Germany back in 2013. Then the Federation of German Consumer Organizations sued the Planet49 lottery company. On the site of the latter there were checkmarks allowing the setting of advertising cookies. The German court conducted the case for four years, but in 2017 decided to transfer it to the European Union Court for a detailed hearing.



It is worth noting here that the decree does not affect cookies, the installation of which sites are not legally obligated to ask users for permission. We are talking about cookies for saving session data, the work of social network plugins and downloading video content.



What will affect the decision



The solution will draw additional attention to the problem of personal data security on the Internet. For example, after the entry of the GDPR into force, European regulators recorded an increase in the number of complaints about company violations - violation of the shelf life of PDs, their illegal processing or leaks. It is believed that the new ruling of the European Court will lead to a similar reaction. However, there is another side to the coin. Some users still try to hide the cookie banner as soon as possible so that it does not occupy useful space on the page. The need to manually tick off the necessary check-boxes will make it difficult for them to work on sites - at least it will take time.



In any case, site owners will have to change approaches to the processing of cookies and, possibly, PD. Interestingly, the new ruling will affect the website of the European Court itself. As one of the residents of Twitter noted , the organization’s web resource does not meet the new privacy standards.



According to Lukasz Olejnik, an expert on information security at Oxford University, the need to indicate the expiration of cookies will impose additional obligations on websites. Webmasters will have to make sure that the attributes max-age and expires, which are responsible for the "lifetime" of the tracking files, match the information on the banner.





Photos - Pietro De Grandi - Unsplash



The court ruling also sets an important precedent. European regulators will be guided by him in the proceedings of similar disputes.


In this case, as noted by Luca Tosoni (Luca Tosoni), a researcher at the Norwegian computer and law research center, the new resolution will affect the discussion of the bill ePrivacy Regulation. It will complement the GDPR and tighten the rules for working with cookies and personal data. They must adopt the law in 2020.



Matters not addressed by the court



The Court of Justice of the European Union has not yet addressed issues related to the validity of cookie walls. These are banners blocking access to content until the user allows the processing of personal data. Although at the beginning of the year, the Dutch regulator issued a decree calling the cookie walls illegal. They force users to agree to the terms of data collection, and this is contrary to the requirements of the GDPR.



But the decision of the regulator in the Netherlands can still be changed by the Court of Justice of the European Union. By the way, he will consider this issue in the near future - during hearings in the case of the Romanian Internet provider Orange Romania.




The equipment of our cloud lives in three data centers (DPC): Xelent / SDN (St. Petersburg), Dataspace (Moscow) and Ahost (Alma-Ata).


In particular, the Dataspace data center is the first Russian data center to pass Tier lll certification from the Uptime Institute.




Our fresh habraposts:









All Articles