A year ago, after years of judiciary battle, the Court of Justice of the European Union (CJUE) presented a final ruling of case C-673/17, also known as "Planet 49" case. It basically forbid to pre-tick boxes on a cookie notice, considering that valid consent could only be based on a positive, affirmative action by the user. The ruling has has a ripple effect in the entire advertising industry, leading the IAB to update its Transparency and Consent Framework (TCF). Here's how.
- Why did a European court tackle cookie consent?
- What consequences does the ruling have for German website owners?
- How did the TCF change as a result of the Planet 49 ruling?
- What is the timeline to update consent notices?
Why did a European court tackle cookie consent?
What did the CJUE rule upon? Why did a European court tackle a case about the cookie consent notice of a minor, German website called Planet 49, a German company offering an online lottery service that used two checkboxes on its website at the login page for the online lottery?
Because privacy professionals wanted answers on 3 main questions:
- Is cookie consent collected through pre-ticked boxes valid?
- What type of cookie information should be made available to the user to obtain a valid consent?
- Should consent only be collected for cookies used to read or access personal data?
Tomorrow is a big day for #ePrivacy as the #CJEU issue judgment on Case C‑673/17 (#planet49).— Alexander Hanff (@alexanderhanff) September 30, 2019
Highly expect that Court will rule #consent *must* be an affirmative & separate action (per purpose); *must* include names of 3rd parties & duration of #cookies
And they were right. The CJUE indeed answered a number of questions related to cookie consent, requiring website owners to implement or adapt their cookie consent mechanisms to make sure they comply with the ruling.
The ruling basically said that pre-ticked boxes and the bundling of data collection purposes are forbidden to collect valid consent, regardless of whether they are used to access personal or non-personal data. Also, users should be informed of the expiration date of cookies, as well ass all third parties reading or setting cookies on the website, before being able to consent.
The CJUE also expressed that "an active behaviour with a clear view" to consent is needed to collect a valid consent, which should effectively put an end to using scrolling or continuing browsing as a consent mode.
What consequences does the ruling have for German website owners?
- List all cookies dropped or read on your website and collect their expiration date and category
- Inform the user about your cookie usage (purpose and cookie information) on your cookie notice
- Make sure you offer a neutral choice for your cookie consent purposes, and collect consent only when the user has had an "active behavior" (no scrolling or continuing navigation)
- Only drop or read cookies after the user has been informed and has consented
- Make sure partners/3rd party on your website follow this rule.
If you’re using a Consent Management Platform, like Didomi's, these checks should be easy to complete. Consent Management Platforms indeed allow to gather, store and distribute user consent, not only for website operators, but also among vendors that are part of the Global Vendor List (GVL).
But what will change with the industry standard to gather consent from consumers, the TCF?
How did the TCF change as a result of the Planet 49 ruling?
While many industry players are still in the midst of a transition from TCF v1 to TCF v2, the IAB's Transparency and Consent Framework organization passed an amendment to its policies to support the changes required by the Planet 49 ruling. Here is what the "TCF v2.1" guidelines say:
- TCF vendors are required to disclose maximum cookie storage duration on the GVL and whether other means of storage/access is used
- CMPs are required to disclose each vendor’s maximum cookie storage duration, and whether other means of storage/access is used to the user on a secondary layer of the user interface
- CMPs are required to disclose the more detailed and purpose specific storage, and access information for each vendor, where vendors make this information available
- TCF vendors are prohibited to refresh the maximum storage duration where the maximum storage duration indicated on the GVL is not indefinite and unless the framework signals indicate that the user has renewed their consent.
Optionally, vendors can disclose more detailed and purpose-specific storage and access information where they wish to demonstrate detailed compliance with the requirements of the ruling.
These new requirements come along new technical specifications. Additional vendor information regarding their cookies will be added to the Global Vendor List (see details here).
What is the timeline to update consent notices?
In terms of timeline, vendors are required to complete their additional information requirements by September 30th 2020, and CMPs should update their user interface (UI) to accommodate the new requirements by January 31st 2021. There is nothing to do for website and app operators, if they are properly equipped by a CMP.
These changes will make it very easy for website owners to disclose cookie information about their 3rd parties belonging to the TCF and therefore help them to comply with the Planet 49 ruling.
Please get in touch with our team at Didomi if we can help you in the process.