Unpleasant mail from the ECJ for most company websites and especially for the professional targeting industry: In the future, it will no longer be sufficient to simply click away the famous cookie banner that dominates every website when it is called up, thereby giving the provider consent to track the user’s surfing behavior, among other things, and to use this for retargeting measures, for example.
In the future, the various cookies (absolutely necessary, performance and functional cookies, and those for marketing purposes) will have to be listed individually so that the user actively gives consent at least for the marketing cookie. In addition, it must be clear to the user to what extent the cookies will be shared with third parties. Pre-ticked boxes are not permitted. The regulation applies regardless of whether or not personal data is involved.
This September 30, 2019 decision draws increased attention to the planned ePrivacy Regulation, in which this principle, which has been under heavy fire, will likely be regulated. The retargeting industry will not like this requirement, as active opt-in to advertising cookies will dramatically reduce the number of potential retargeting users. Wiping away was annoying but easy until now, with active opt-in the user considers the consequences and the laziness effect plays out. E-mail providers have known this for a long time with the double opt-in requirement. The ePrivacy Regulation should also regulate that the cookie consent must be given once and that the request does not inconvenience the website visitor every time. With the different consents by users, the rights management of each provider becomes even more central.
In the specific proceedings of a German court, which were submitted to the ECJ for assessment, the main issue was that the operator of a website – an address trader and sweepstake operator – had the right granted to it in the form of notice texts to set cookies in the user’s browser so that service providers could play out “interest-based advertising”. The corresponding checkbox was already pre-ticked. Only with an additional click could users revoke their consent.