Since the implementation of the GDPR in May 2018, not all its provisions have been made clear and some can still be interpreted in different ways. Exemplary court rulings are needed to establish legal interpretations for these in detail. Such decisions then serve as a guideline for further judgments and related issues.
On 1 October 2019, the European Court of Justice issued a ruling binding on all member states: from now on, consent for cookies is mandatory for all website operators! This exemplary court decision improves the clarity of the interpretation of the GDPR. In light of this, we explain how you should handle the setting of cookies from now on and which of GDPR’s provisions are still unclear.
The court states the following:
- A pre-checked box does not constitute effective consent.
- The function duration must be specified for cookies.
What does that mean?
What’s the next step?
- The exact difference between necessary cookies and other types of cookies.
- Whether tracking cookies are considered necessary cookies for aggregate analysis purposes or whether a legitimate interest in them can be asserted.
- Whether consent to categories of cookies is permitted as opposed to each individual cookie requiring permission.
We recommend the following until the new e-Privacy Regulation clarifies this or further court rulings are made:
- Divide cookies into the following categories:
- Marketing/Targeting Cookies (e.g. Facebook, LinkedIn, Google Ads)
- Performance/Analytics Cookies (e.g. Google Analytics, Matomo, Piwik, AT Internet)
- Functional cookies (e.g. Vimeo, debugging tools, chat widgets)
- Absolutely necessary cookies (e.g. shopping cart, storage of language selection, login status)
- All marketing/targeting cookies must be blocked by default and can only be set with the active consent of the user.
- For the remaining categories, there is a need, or at least a legitimate interest, to set them without active consent. However, you must inform your user’s about these cookies.
Attention: As soon as any of these cookies from the Functional or Performance categories are also used for Marketing purposes then explicit consent is required.
If you want to be on the safe side, block all cookies except those that are absolutely necessary for the operation of the website. However, you will then also lose information about how your website is used and where it needs to be optimized.
Even before the GDPR came into force, we pointed out in our article (How to make your website fit for the new EU data protection regulation) that you should use a cookie management solution to control the setting of individual cookies. We have implemented several dozen of these solutions and would be happy to advise you on creating yours.