Cookie consent – How to get it (right)

Catherine Di Lorenzo; Paul Wagner

doi:10.3917/pinc.002.0031

Pin Code 2019/2 N° 2

Journal article

Cookie consent – How to get it (right)

By Catherine Di Lorenzo
and Paul Wagner

Pages 31 to 37

Notes

[1]
Discussions on the proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications, the ePrivacy Directive), which also deals with cookies and related consent requirements are on-going. The most recent proposal of the Council of the European Union dated 30 October 2019 is available via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_13632_2019_INIT&from=EN (the ePrivacy Regulation Proposal).
[2]
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[3]
CJEU (2^nd ch.), 29 July 2019 (Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV), C-40/17 (the Fashion ID Case) LexNow Réf./ ID 28639 and CJEU (Grand Chamber), 1 October 2019 (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV vs. Planet49 GmbH), C-673/17 (the Planet49 Case) LexNow Réf./ ID 20191004332.
[4]
ICO, Guidance on the use of cookies and similar technologies, 3 July 2019 availabe on the ICO’s website https://ico.org.uk/for-organisations/guideto-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/ (the ICO Cookie Guidance) and CNIL, Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d’un utilisateur (notamment aux cookies et autres traceurs) (rectificatif) [Deliberation No. 2019-093 of 4 July 2019 adopting guidelines on the application of Article 82 of the amended law of 6 January 1978 to reading or writing operations in a user’s terminal (in particular cookies and other tracking tools) (corrigendum)], available in French at https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038783337&categorieLien=id (the CNIL Cookie Guidance).
[5]
ICO Cookie Guidance, p. 5.
[6]
Id., pp. 36-40.
[7]
Id., p. 5.
[8]
Id., p. 5.
[9]
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
[10]
See e.g. Recital 25 of the ePrivacy Directive.
[11]
Planet49 Case, § 71.
[12]
Planet49 Case, § 47.
[13]
European Commission, “Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC,” Commission Staff Working Document, Brussels, 10 January 2017, p. 22, available at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SWD:2017:0005:FIN:EN:PDF.
[14]
See the Planet49 Case, § 44-65; Although not referred to by the Court, this confirms the position of the European Data Protection Board (EDPB) in its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.
[15]
Article 4(11) of the GDPR.
[16]
Article 7(3) of the GDPR; ICO Cookie Guidance, p. 11
[17]
See Article 29 Working Party Guidelines on consent under Regulation 2016/679, WP 259, p. 21 (see https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030) (the WP29 Consent Guidelines).
[18]
See the Planet49 Case, § 65.
[19]
Recital 32 of the GDPR; see also the WP29 Consent Guidelines, p. 16.
[20]
CNIL Cookie Guidance (free translation).
[21]
WP29 Consent Guidelines, p. 17.
[22]
Autoriteit Persoonsgegevens, “Cookies,” available at https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internet-telefoon-tv-en-post/cookies?qa=cookies; EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, 25 May 2018, available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_on_eprivacy_en.pdf.
[23]
ICO Cookie Guidance, p. 31.
[24]
Article 5(3) of the ePrivacy Directive originally refers to Directive 95/46/ EC for the information requirement. However, since the entry into force of the GDPR, this reference must be construed as a reference to the GDPR (Article 94(2) of the GDPR; see also EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, 12 March 2019, note 6).
[25]
See the Planet49 GmbH Case, § 74.
[26]
WP29 Consent Guidelines, p. 14.
[27]
Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, WP260rev.01, as last revised and adopted on 11 April 2018, p. 7; Article 29 Data Protection Working Party, Working Document 02/2013 providing guidance on obtaining consent for cookies, WP208, 2 October 2013, p. 3.
[28]
See the Planet49 Case, §§ 75 and 81.
[29]
WP29 Consent Guidelines, p. 13; CNIL Cookie Guidelines; Autoriteit Persoonsgegevens, “Cookies,” available at https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internet-telefoon-tv-en-post/cookies.
[30]
WP29 Consent Guidelines, p. 12.
[31]
Recital 32 of the GDPR.
[32]
CNIL Cookie Guidance.
[33]
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, WP171, 22 June 2010, pp. 13-15 (available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf, WP29 Targeted Advertising Guidelines); ICO Cookie Guidance, p. 29-30; CNIL Cookie Guidance.
[34]
Article 5(3) of the ePrivacy Directive; Article 4(3)(e) of the Luxembourg ePrivacy Law (free translation).
[35]
Id.
[36]
Article 29 Data Protection Working Party, Opinion 04/2012 on Cookie Consent Exemption, WP194, 7 June 2012, p. 5 (available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf, the WP29 Cookie Consent Exemption Guidelines); see also ICO Cookie Guidance, p. 42.
[37]
WP29 Cookie Consent Exemption Guidelines, p. 6; ICO Cookie Guidance, p. 15.
[38]
For more details on different types of cookies and whether they are exempt from consent, see WP29 Cookie Consent Exemption Guidelines, p. 6.; ICO Cookie Guidance, p. 15.
[39]
WP29 Targeted Advertising Guidelines, p. 9.s.
[40]
See ePrivacy Regulation Proposal, page 31.
[41]
The user agent string “allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.” MDN contributors, “User-Agent,” MDN web docs, available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.
[42]
See the Fashion ID Case, §§ 79-81.
[43]
See MDN contributors, “HTTP Messages,” MDN web docs, available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages.
[44]
See the Fashion ID Case, § 102.
[45]
See id.
[46]
See the Fashion ID case, § 80.
[47]
Id.
[48]
Id.
[49]
Opinion of the advocate general Bobek, 29 July 2019, in C-40/17 (Fashion ID), § 105.
[50]
Id.
[51]
See the Fashion ID Case, §§ 79 and 81.
[52]
See CJEU (Grand Chamber), 5 June 2018 (Wirtschaftsakademie Schleswig-Holstein GmbH v. Facebook Ireland Ltd.), C-210/16, § 42.
[53]
CNIL, Délibération du bureau de la Commission nationale de l’informatique et des libertés n° 2018-343 du 8 novembre 2018 décidant de rendre publique la mise en demeure n°MED-2018-042 du 30 octobre 2018 prise à l’encontre de la société VECTAURY [Deliberation of the bureau of the National Commission on Informatics and Liberty no. 2018-343 of 8 November 2018 deciding to make public the formal notice No. MED-2018-042 of 30 October 2018 taken against the company VECTAURY], available in French at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594601&fastReqId=974682228&fastPos=1.
[54]
CNIL Cookie Guidance.
[55]
ICO Cookie Guidance, p. 34.
[56]
Id.

Cite this article

Di Lorenzo, C.
and Wagner, P.

(2019). Cookie Consent – How to Get It (right) Pin Code, 2(2), 31-37. https://doi.org/10.3917/pinc.002.0031.

Di Lorenzo, Catherine.
et al.

« Cookie consent – How to get it (right) ». Pin Code, 2019/2 N° 2, 2019. p.31-37. CAIRN.INFO, droit.cairn.info/revue-pincode-2019-2-page-31?lang=en.

DI LORENZO, Catherine
and WAGNER, Paul,

2019. Cookie consent – How to get it (right) Pin Code, 2019/2 N° 2, p.31-37. DOI : 10.3917/pinc.002.0031. URL : https://droit.cairn.info/revue-pincode-2019-2-page-31?lang=en.

https://doi.org/10.3917/pinc.002.0031

Notes

[1]
Discussions on the proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications, the ePrivacy Directive), which also deals with cookies and related consent requirements are on-going. The most recent proposal of the Council of the European Union dated 30 October 2019 is available via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_13632_2019_INIT&from=EN (the ePrivacy Regulation Proposal).
[2]
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[3]
CJEU (2^nd ch.), 29 July 2019 (Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV), C-40/17 (the Fashion ID Case) LexNow Réf./ ID 28639 and CJEU (Grand Chamber), 1 October 2019 (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV vs. Planet49 GmbH), C-673/17 (the Planet49 Case) LexNow Réf./ ID 20191004332.
[4]
ICO, Guidance on the use of cookies and similar technologies, 3 July 2019 availabe on the ICO’s website https://ico.org.uk/for-organisations/guideto-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/ (the ICO Cookie Guidance) and CNIL, Délibération n° 2019-093 du 4 juillet 2019 portant adoption de lignes directrices relatives à l’application de l’article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture ou écriture dans le terminal d’un utilisateur (notamment aux cookies et autres traceurs) (rectificatif) [Deliberation No. 2019-093 of 4 July 2019 adopting guidelines on the application of Article 82 of the amended law of 6 January 1978 to reading or writing operations in a user’s terminal (in particular cookies and other tracking tools) (corrigendum)], available in French at https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038783337&categorieLien=id (the CNIL Cookie Guidance).
[5]
ICO Cookie Guidance, p. 5.
[6]
Id., pp. 36-40.
[7]
Id., p. 5.
[8]
Id., p. 5.
[9]
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector.
[10]
See e.g. Recital 25 of the ePrivacy Directive.
[11]
Planet49 Case, § 71.
[12]
Planet49 Case, § 47.
[13]
European Commission, “Ex-post REFIT evaluation of the ePrivacy Directive 2002/58/EC,” Commission Staff Working Document, Brussels, 10 January 2017, p. 22, available at https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=SWD:2017:0005:FIN:EN:PDF.
[14]
See the Planet49 Case, § 44-65; Although not referred to by the Court, this confirms the position of the European Data Protection Board (EDPB) in its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.
[15]
Article 4(11) of the GDPR.
[16]
Article 7(3) of the GDPR; ICO Cookie Guidance, p. 11
[17]
See Article 29 Working Party Guidelines on consent under Regulation 2016/679, WP 259, p. 21 (see https://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51030) (the WP29 Consent Guidelines).
[18]
See the Planet49 Case, § 65.
[19]
Recital 32 of the GDPR; see also the WP29 Consent Guidelines, p. 16.
[20]
CNIL Cookie Guidance (free translation).
[21]
WP29 Consent Guidelines, p. 17.
[22]
Autoriteit Persoonsgegevens, “Cookies,” available at https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internet-telefoon-tv-en-post/cookies?qa=cookies; EDPB, Statement of the EDPB on the revision of the ePrivacy Regulation and its impact on the protection of individuals with regard to the privacy and confidentiality of their communications, 25 May 2018, available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_on_eprivacy_en.pdf.
[23]
ICO Cookie Guidance, p. 31.
[24]
Article 5(3) of the ePrivacy Directive originally refers to Directive 95/46/ EC for the information requirement. However, since the entry into force of the GDPR, this reference must be construed as a reference to the GDPR (Article 94(2) of the GDPR; see also EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities, 12 March 2019, note 6).
[25]
See the Planet49 GmbH Case, § 74.
[26]
WP29 Consent Guidelines, p. 14.
[27]
Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, WP260rev.01, as last revised and adopted on 11 April 2018, p. 7; Article 29 Data Protection Working Party, Working Document 02/2013 providing guidance on obtaining consent for cookies, WP208, 2 October 2013, p. 3.
[28]
See the Planet49 Case, §§ 75 and 81.
[29]
WP29 Consent Guidelines, p. 13; CNIL Cookie Guidelines; Autoriteit Persoonsgegevens, “Cookies,” available at https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internet-telefoon-tv-en-post/cookies.
[30]
WP29 Consent Guidelines, p. 12.
[31]
Recital 32 of the GDPR.
[32]
CNIL Cookie Guidance.
[33]
Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, WP171, 22 June 2010, pp. 13-15 (available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp171_en.pdf, WP29 Targeted Advertising Guidelines); ICO Cookie Guidance, p. 29-30; CNIL Cookie Guidance.
[34]
Article 5(3) of the ePrivacy Directive; Article 4(3)(e) of the Luxembourg ePrivacy Law (free translation).
[35]
Id.
[36]
Article 29 Data Protection Working Party, Opinion 04/2012 on Cookie Consent Exemption, WP194, 7 June 2012, p. 5 (available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf, the WP29 Cookie Consent Exemption Guidelines); see also ICO Cookie Guidance, p. 42.
[37]
WP29 Cookie Consent Exemption Guidelines, p. 6; ICO Cookie Guidance, p. 15.
[38]
For more details on different types of cookies and whether they are exempt from consent, see WP29 Cookie Consent Exemption Guidelines, p. 6.; ICO Cookie Guidance, p. 15.
[39]
WP29 Targeted Advertising Guidelines, p. 9.s.
[40]
See ePrivacy Regulation Proposal, page 31.
[41]
The user agent string “allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.” MDN contributors, “User-Agent,” MDN web docs, available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent.
[42]
See the Fashion ID Case, §§ 79-81.
[43]
See MDN contributors, “HTTP Messages,” MDN web docs, available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages.
[44]
See the Fashion ID Case, § 102.
[45]
See id.
[46]
See the Fashion ID case, § 80.
[47]
Id.
[48]
Id.
[49]
Opinion of the advocate general Bobek, 29 July 2019, in C-40/17 (Fashion ID), § 105.
[50]
Id.
[51]
See the Fashion ID Case, §§ 79 and 81.
[52]
See CJEU (Grand Chamber), 5 June 2018 (Wirtschaftsakademie Schleswig-Holstein GmbH v. Facebook Ireland Ltd.), C-210/16, § 42.
[53]
CNIL, Délibération du bureau de la Commission nationale de l’informatique et des libertés n° 2018-343 du 8 novembre 2018 décidant de rendre publique la mise en demeure n°MED-2018-042 du 30 octobre 2018 prise à l’encontre de la société VECTAURY [Deliberation of the bureau of the National Commission on Informatics and Liberty no. 2018-343 of 8 November 2018 deciding to make public the formal notice No. MED-2018-042 of 30 October 2018 taken against the company VECTAURY], available in French at https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000037594601&fastReqId=974682228&fastPos=1.
[54]
CNIL Cookie Guidance.
[55]
ICO Cookie Guidance, p. 34.
[56]
Id.

English

Cookies have an important role on the internet and are in some cases even essential to the functioning of a website. They may be used for various purposes, such as keeping track of items added to the shopping basket, remembering a user’s language choice or building a profile on the basis of the user’s browsing activity across multiple websites. The use of cookies is subject to certain legal requirements stemming from the ePrivacy Directive and the General Data Protection Regulation (GDPR). Non-essential cookies may notably only be used where valid consent has been obtained from the user. The subject has recently received increased attention, in particular as a result of the decisions adopted by the Court of Justice of the European Union in the Fashion ID and Planet49 cases and the publication of new guidance by supervisory authorities. This article is an effort to bring clarity by providing an overview of the existing case law and guidance with regard to cookies.

Français

Les cookies ont un rôle important sur internet et sont dans certains cas même essentiels au fonctionnement d’un site web. Ils peuvent être utilisés à des fins diverses, comme le suivi de produits ajoutés au panier d’achat, la sauvegarde de la langue choisie par l’utilisateur ou bien la création d’un profil sur base des activités de navigation d’un utilisateur à travers différents sites. L’utilisation de cookies est soumise à certaines exigences légales issues de la directive ePrivacy et du Règlement général pour la protection des données (RGPD). Les cookies non-essentiels peuvent notamment être utilisés uniquement lorsque l’utilisateur a donné son consentement valable. Le sujet a récemment suscité une attention accrue, notamment au regard des décisions de la Cour de justice de l’Union européenne dans les affaires Fashion ID et Planet49 et de la publication de nouvelle guidance par des autorités de surveillance. Le présent article vise à clarifier le sujet en donnant un aperçu de la jurisprudence et de la guidance existantes relatives aux cookies.

Uploaded: 09/18/2023

https://doi.org/10.3917/pinc.002.0031

This article is available in conditional access

Cairn Pro Management - Journals

From €25 per month

300 full-text journals at the heart of your profession

Buy this issue

€60.00

52 pages, format digital (HTML and PDF, by article)

Buy this article

€16.00

7 pages format digital (HTML and PDF)

Already subscribed to Cairn Pro? Member of a client institution?

Personal account

Cookie consent – How to get it (right)

Notes

Cite this article

Notes

This article is available in conditional access

Cairn Pro Management - Journals

Buy this issue

Buy this article

Institution Login

All institutions