These days it could be said that a website that doesn't use cookies, does not exist. However, in practice we can see fundamental differences in setting cookies and fulfillment of related obligations.
One of the most recent decisions of the Court of the EU from 1st October 2019 provides a clear answer to the partial questions asked, which concern the procedure of obtaining consent for cookies from website users.
Pre-marked checkbox
In the decision in question, the Court dealt with the question of whether a pre-marked box of consent with cookies could be deemed properly given consent. The Court has clearly concluded that in such a situation, consent is not given correctly, as it cannot be excluded that the user may have not noticed such a box before continuing in activity on the website.
So, in case you use cookies for which you need the user's consent, such consent must be given proactively. The pre-marked checkbox, whose mark must be revoked by the user in order to refuse to give a consent does not constitute effectively given consent.
In this context, it should be pointed out that this case related to cookies and the processing of personal data used for advertising purposes. This type of cookies requires consent. However, the Court has not addressed how to deal with this type of cookies, which are considered to be so-called essential cookies. i.e. which are necessary for the website to properly function. Though, several supervisory authorities have already taken a position on this issue, and you can find their conclusions in our article New Comprehensive Guidelines: How to use cookies properly?
Privacy even without personal data
At the same time, the Court stated that any information stored in the end devices of users of electronic communications networks (i.e. in a notebook, tablet, phone) are the part of the privacy of users, whether they are concerning personal data or not.
According to the Court, which also referred to recitals 24 of the Directive 2002/58, the aim of this approach is in particular, to protect users from danger that hidden identifiers or other similar devices would penetrate these user´s end devices without their knowledge. For this reason, it is necessary to request for consent and to fulfill the information obligation also in the case the cookies do not contain information that could be considered a personal data of the data subject according to GDPR.
What information does not forget to provide?
Last but not least, the Court has confirmed that the users of the websites should be informed not only of the purposes of data processing but also of the length of functionality of the cookies, as well as whether or not third parties have access to these cookies.
In summary, the decision-making practice of the courts begins to definitely resolve issues relating to not only the protection of personal data, but also the privacy of individuals. It will be interesting to see how the legislator will deal with this area in the new e-Privacy regulation whether he will follow the existing decisions of the Court or choose a completely new path.