<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

ECJ Ruling on Cookie Laws Finds Most Websites Non-Compliant

Topics: Data Protection, Cyber Attack, PECR, Cookies

Posted: 02 December 2019


The festive season is nearly upon us; and while you might be dreaming about cookies of the sugary and Christmas themed type, European judges have other ideas. The other type of cookie – and most likely the more frequent – are those used on websites to store small amounts of information on our local endpoints to assist with functionality.

Cookies have a number of uses. Some cookies save the contents of your shopping cart as you browse from page to page, some are used track which parts of a website you are most interested in, and others can be used to deliver advertisements on various platforms as you browse the internet.

[You may also be interested to read "Data Breaches and the GDPR - 1 Year Later"]

Privacy and Electronic Communications Regulations 2002


To date, the use of cookies in EU member states and EEA countries have been regulated by the Privacy and Electronic Communications Regulations (PECR) of 2002, which required three things to be true for the lawful use of cookies on websites:

  1. Get consent for the use of cookies.
  2. Explain to users what cookies are in use on the website.
  3. Explain what each cookie does.

Since 2003, interpretation of this law has been those banners which you probably encounter on each site you visit warning you that cookies are in use, with an accept or okay button used to dismiss the banner from view.

In this scenario, cookies are used as soon as the user access the website, with the banner functioning as informational only. The only way to avoid those cookies is to not access the site at all.


European Court of Justice Rules on Active Consent for Non-Functional Cookies


On the 1st of October 2019, the European Court of Justice (ECJ) ruled on a year-long case against Planet49 GmbH by the German Federation of Consumer Organisations, against the use of assumptive consent for all non-functional cookies – otherwise known as a pre-ticked checkbox.

This ruling means that only active consent from the user can constitute lawful consent, throwing the current cookie banner format norm into the bin of non-compliance. The ECJ has taken exception to those cookies which must be deployed for proper function of the website. Going back to our earlier example, this would include cookies for technologies like shopping baskets, but those cookies used for tracking and marketing now require active consent.

In essence, cookies that are deployed at the point of website access with a subsequent banner explaining that cookies are in use must be changed so that only functional cookies are deployed upon website access. All other cookies can only be deployed when a banner-based accept button is pressed by the user.


Not All Member States are Equal


What is interesting about this ruling is that it is based on the PECR directive of 2002, which has not been fully implemented in all EU member states. This means the ruling from the ECJ does not directly apply in Germany, Czech Republic and Estonia, but it does in the UK.

This ruling is unlikely to be welcomed by website administrators and marketers who will see this as an attack on targeted-advertising and website analytics. After all, it is very unlikely that someone will give consent to non-functional cookies, especially those related to tracking.

In a world of the GDPR restricting outbound marketing, and now rulings on the PECR making it more difficult to create trackable inbound marketing campaigns, businesses will be keen to see what is in store for them with the updated PECR due in 2020.

[You may also like "UK's Top 4 Regulations Overlap"]


Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts