As the clock winds down on the compliance deadline for the California Consumer Privacy Act, privacy professionals—especially those advising web operators—should not lose sight of key decisions from European courts and regulators. Indeed, these declarations will affect the digital ecosystem and best practices for web design far beyond Europe.
Privacy notices have their place (usually hidden in a link, rarely clicked, at the bottom of a web page), but thanks to the EU, “in-your-face” cookie banners now greet (and likely annoy) visitors on a great number of websites. The ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC) is principally to blame.
Even though the text of banners is significantly shorter than that found in privacy notices, their ubiquity tends to prompt an ignore-and-click mentality in order to maximize screen real estate—especially on smaller, handheld devices.
To the extent businesses view cookies banners as a necessary evil to be deployed and forgotten, recent developments from the EU suggest that a reassessment of cookie practices may be in order.
The Planet49 judgment from the European Court of Justice (ECJ) further clarifies that consent cannot be established via a pre-checked box. Relying on GDPR Recital 32—which expressly precludes “silence, pre-ticked boxes or inactivity” from constituting consent—the court confirmed that requiring users to uncheck a box in order to opt-out of data collection is not the sort of “positive action” that would satisfy the GDPR’s definition of consent.
Share and Share a ‘Like’
Arguably more ubiquitous than cookie banners are social media plugins.
Eager to increase exposure, websites often provide links to share content via Facebook, Twitter, and other social media sites. Website operators should be aware, however, of the ECJ’s Fashion ID judgment, which held that an operator who embeds a plugin that collects and transfers the personal data of website visitors is a “controller” of that data, jointly with the provider of the plugin.
In the Fashion ID case, an online clothing retailer had embedded Facebook’s ‘Like’ button on its website. By so doing, the retailer transmitted to Facebook the IP address of any visitor to the retailer’s site, as well as technical data from the visitor’s browser. This transmission occurred regardless of whether the visitor had a Facebook account or whether the visitor had clicked the ‘Like’ button.
The ECJ noted that, by embedding the ‘Like’ button, the retailer had exerted “a decisive influence over the collection and transmission of the personal data of visitors … which would not have occurred without that plugin.” As such, the retailer was a controller, even though it did not itself have access to that data. Moreover, it had a duty to inform and obtain consent from visitors about the data transferred.
Given the ECJ’s penchant for extraterritorial application of EU law, and given the global nature of ecommerce, to view EU developments as mere parochial exhortations would be imprudent for any website involved in the collection and use of consumer data.
Forward-looking companies will reassess their online presence to align with EU expectations, but with a little ingenuity. Banners will likely disappear, to be replaced with more innovative techniques for securing valid consent. And the implications from the use of plugins will be seamlessly incorporated into those next-gen notices.
Read about other trends our analysts are following as part of our Bloomberg Law 2020 series.