Cookies consent does not escape the GDPR: The CJEU issued its decision in the Planet49 case
Peter Van Dyck
Nicole Wolters Ruckert
Catherine Di Lorenzo
Anna van der Leeuw-Veiksha
Professional Support Lawyer (not admitted to the bar)
02 October 2019
On 1 October 2019, the Court of Justice of the European Union (CJEU) issued its long-awaited decision in the case Planet49 (Case C‑673/17). The decision clarifies the requirements for valid cookie consent under Directive 2002/58 (ePrivacy Directive).
The CJEU objects to tying cookie consent to the participation in an online lottery but, unlike in the opinion of the Advocate General in this case, the court nevertheless leaves open the question of whether users may ‘sell’ their personal data in exchange of a service (e.g. obtained at a lower price) in other circumstances. Guidance on selling personal data in this context is expected from the European Data Protection Board (EDPB), which considered this issue during its plenary meeting on 10 September 2019.
Read the full decision here.
The facts of the case
In the description next to the second checkbox, users were given brief information on the cookies’ purposes, on the provider of the web analytics service, on the fact that users could delete the cookies at any time and that it would be Planet49 who sets the cookies. By clicking on a link in the description (“You can read more about this here”), users were given further details on the cookies placed, including a short description of the functioning of the cookies and the fact that the cookies would track users on the websites of advertising partners who registered for the web analytics service in question. The website further specified that no user profiles involving multiple advertising partners would be created.
The Federation of German Consumer Organisations took Planet49 to the German courts, claiming that the concerned declarations of consent were not compliant, among others, with the German transposition of the ePrivacy Directive. The Bundesgerichtshof (Federal Court of Justice) referred several question to the CJEU, including in particular whether pre-checked boxes constitute valid cookie consent.
A pre-ticked checkbox is not a means of obtaining valid consent
The CJEU established that the consent required under the ePrivacy Directive for storing or accessing cookies must comply with the requirements for consent under the GDPR. Although not referred to by the court, this confirms the EDPB’s position in its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.
In accordance with the GDPR, consent must be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Thus, consent that does not comply with the requirements of the GDPR may not be relied upon for the purposes of the ePrivacy Directive.
Planet49 argued that a valid consent is given on the part of the user, not when he does not unclick a pre-formulated declaration of consent but when he actively clicks on the participation button for the online lottery. However, the CJEU dismissed this argument on the basis that consent must be specific to the processing of personal data concerned and may not be derived from an indication of wishes having a different objective. Thus, in the circumstances at hand, participation in the lottery and consent to cookies could not be tied together.
As a result, it does not constitute a valid consent within the meaning of the ePrivacy Directive in conjunction with the GDPR if the storage of cookies or access to information already stored on user’s terminal equipment (such as cookies) is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent.
The ePrivacy Directive applies irrespective of whether the information stored or accessed constitutes personal data
The CJEU further confirmed that the objective of the ePrivacy Directive consists in protecting the users against any interference with their private life, irrespective of whether this interference concerns or not personal data. Furthermore, the ePrivacy Directive refers to the ‘storing of information’ and ‘the gaining of access to information already stored’, without qualifying this information as personal data. Thus, it does not make a difference whether the information (or cookie) stored or accessed constitutes personal data for the purposes of the ePrivacy Directive.
The information obligation under the ePrivacy Directive also includes the cookie operation period and the question of whether third parties are given access to the cookies
By reference to the fairness principle while processing personal data, the CJEU held that in a situation such as in the case at hand, where cookies are used to collect information for advertising purposes in respect to the products of the partners of the online lottery, the duration of the operation of a cookie and the question of whether third parties are given access to the cookies are to be included as part of the clear and comprehensive information required under the ePrivacy Directive.
Pursuant to the CJEU, this also follows from the GDPR, the information requirements of which must be complied with when storing or accessing cookies in the terminal equipment of the user. In accordance with these requirements, the information to be provided must contain both the duration of the operation of cookies and whether or not third parties have access to those cookies.
Key takeaways: Cookie usage must comply with the GDPR
The Planet49 case confirms the approach of the EDPB and national data protection authorities, without, however, mentioning these positions. The court asserts that consent for using cookies and other online tracking methods and techniques (e.g. flash cookies, tags, scripts, pixels, device fingerprinting, etc.), despite being currently governed by special legal norms of the ePrivacy Directive, do not escape the requirements for consent as set out in the GDPR. More specifically, when using cookies on your website that require consent:
- You should review your cookie consent mechanism and specifically review the mechanism on the use of pre-ticked boxes. Please note that the use of pre-ticked consent boxes does not lead to valid cookie consent; and
Finally, the CJEU recalled that EU law must normally be given an autonomous and uniform interpretation throughout the EU. By this statement, the court acknowledged, yet implicitly, the different transpositions of the ePrivacy Directive and diverging guidance from the national data protection authorities in the various Member States. These differences may cause legal uncertainty when operating in more than one Member State. Hopefully, the EDPB or the upcoming ePrivacy Regulation will address issue.