A year ago, after years of judiciary battle, the Court of Justice of the European Union (CJUE) presented a final ruling of case C-673/17, also known as "Planet 49" case. It basically forbid to pre-tick boxes on a cookie notice, considering that valid consent could only be based on a positive, affirmative action by the user. The ruling has has a ripple effect in the entire advertising industry, leading the IAB to update its Transparency and Consent Framework (TCF). Here's how.
- Why did a European court tackle cookie consent?
- What consequences does the ruling have for German website owners?
- How did the TCF change as a result of the Planet 49 ruling?
- What is the timeline to update consent notices?
Why did a European court tackle cookie consent?
What did the CJUE rule upon? Why did a European court tackle a case about the cookie consent notice of a minor, German website called Planet 49, a German company offering an online lottery service that used two checkboxes on its website at the login page for the online lottery?
Because privacy professionals wanted answers on 3 main questions:
- Is cookie consent collected through pre-ticked boxes valid?
- What type of cookie information should be made available to the user to obtain a valid consent?
- Should consent only be collected for cookies used to read or access personal data?
Tomorrow is a big day for #ePrivacy as the #CJEU issue judgment on Case C‑673/17 (#planet49).— Alexander Hanff (@alexanderhanff) September 30, 2019
Highly expect that Court will rule #consent *must* be an affirmative & separate action (per purpose); *must* include names of 3rd parties & duration of #cookies
And they were right. The CJUE indeed answered a number of questions related to cookie consent, requiring website owners to implement or adapt their cookie consent mechanisms to make sure they comply with the ruling.
The ruling basically said that pre-ticked boxes and the bundling of data collection purposes are forbidden to collect valid consent, regardless of whether they are used to access personal or non-personal data. Also, users should be informed of the expiration date of cookies, as well ass all third parties reading or setting cookies on the website, before being able to consent.
The CJUE also expressed that "an active behaviour with a clear view" to consent is needed to collect a valid consent, which should effectively put an end to using scrolling or continuing browsing as a consent mode.
What consequences does the ruling have for German website owners?
- List all cookies dropped or read on your website and collect their expiration date and category
- Inform the user about your cookie usage (purpose and cookie information) on your cookie notice
- Make sure you offer a neutral choice for your cookie consent purposes, and collect consent only when the user has had an "active behavior" (no scrolling or continuing navigation)
- Only drop or read cookies after the user has been informed and has consented
- Make sure partners/3rd party on your website follow this rule.
Moreover, bear in mind that, in France, the CNIL considers Analytics as functional, therefore essential cookies for which no consent is needed, while the European Court of Justice considered them non-essential, and thus requiring consent. If you would like to find out more on the CNIL's 2020 recommendations, check out our page dedicated to this subject. Or, if you have any questions about UK or Irish regulation, schedule a demo with one of our experts today.
#ECJ : A consumer's consent to collection and retention of I.D. in a telecommunications services contract cannot be presumed to have been validly given when the relevant box has been ticked by the data controller prior to the signing of the contract. #Romania @orange pic.twitter.com/jlPJA1x04i— EU Court of Justice (@EUCourtPress) November 11, 2020
If you’re using a Consent Management Platform, like Didomi's, these checks should be easy to complete. Consent Management Platforms indeed allow to gather, store and distribute user consent, not only for website operators, but also among vendors that are part of the Global Vendor List (GVL).
But what will change with the industry standard to gather consent from consumers, the TCF?
How did the TCF change as a result of the Planet 49 ruling?
While many industry players are still in the midst of a transition from TCF v1 to TCF v2, the IAB's Transparency and Consent Framework organization passed an amendment to its policies to support the changes required by the Planet 49 ruling. Here is what the "TCF v2.1" guidelines say:
TCF vendors are required to disclose the maximum duration of cookies created on devices
TCF vendors are required to disclose whether non-cookie methods of storage or accessing information are used (like local storage, IndexedDB, etc.).
TCF vendors are required to disclose the full list of information stored on devices with their identifier, duration, domain, type, and purposes.
Optionally, vendors can disclose more detailed and purpose-specific storage and access information where they wish to demonstrate detailed compliance with the requirements of the ruling.
These new requirements come along new technical specifications. Additional vendor information regarding their cookies will be added to the Global Vendor List (see details here).
What is the timeline to update consent notices?
In terms of timeline, vendors are required to complete their additional information requirements by September 30th 2020, and CMPs should update their user interface (UI) to accommodate the new requirements by January 31st 2021. There is nothing to do for website and app operators, if they are properly equipped by a CMP.
These changes will make it very easy for website owners to disclose cookie information about their 3rd parties belonging to the TCF and therefore help them to comply with the Planet 49 ruling.