Several weeks ago, we published a CCPA FAQS on Cookies, which provides a high-level look at how the impending CCPA may apply to website cookies. The CCPA’s definition of personal information is expansive, and in preparation for the CCPA it is easy to overlook certain elements of personal information, in particular website cookies.

A cookie is a small text file that a website places on a user’s computer (including smartphones, tablets or other connected devices) to store information about the user’s activity. Cookies have a variety of uses ranging from recognizing the user when they return to the website to providing the user with advertising targeted to their interests. Depending on their purpose, the website publisher or a third party may set the cookies and collect the information. These cookies may trigger certain data protection obligations.

Recently, the Court of Justice of the European Union (CJEU), EU’s high court, issued an important opinion that addresses website cookie use Bundesverband der Verbraucherzentralen v. Planet49 (C-673/17)The opinion reviewed EU law on the protection of electronic communications privacy and provides clarity on cookie consent requirements. The CJUE’s decision follows several EU developments regarding website cookies and online tracking. In July, the UK Information Commissioner’s Office published an extensive “Guidance on the use of cookies and similar technologies”; the Commission Nationale de L’informatique (CNIL) of France published an updated version of its guidance on cookies; and the CJEU issued an informative opinion (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (C-40/17)) on data protection issues surrounding the use of social media widgets. It is safe to say to that these developments signal the importance of assessing your businesses’ website cookie usage practices.

Below are several key takeaways from the CJEU opinion on website cookies in Planet49:

  • Consent which a website user must give to the storage of and access to cookies on their equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse their consent. This is required whether or not the information stored or accessed on the user’s equipment is personal data.
  • Consent must be freely given, specific, informed and unambiguous. So the fact that a user selects the button to participate in a promotional lottery (or reads a webpage, watches a video, etc.) is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.
  • The information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Cookies and other website tracking technologies pose a unique challenge to businesses as they work to identify the personal information they collect and process. Identifying the presence of these technologies, their function, and the relationship with any third party that places them on the website is essential and requires a greater understanding of the website’s functionality as well as a deeper dive into the business’ analytics, marketing, and advertising practices. In addition, once cookie technologies are identified, businesses should review their existing cookie notice and consent policies as well as website privacy policies to determine if any updates should be made in light of applicable law. Whether the GDPR and e-Privacy Directive, the CCPA, or applicable U.S. state laws apply, organizations that use website cookies should take note. In the event these cookies collect personal data, your organization may be subject to additional data privacy compliance obligations.