Skip to content

Cookies consent does not escape the GDPR: The CJEU issued its decision in the Planet49 case

Related people
Parker Nigel
Nigel Parker

Partner

London

View profile →

Van Dyck Peter
Peter Van Dyck

Partner

Brussels

View profile →

Nicole Wolters Ruckert

Counsel

Amsterdam

View profile →

Di Lorenzo Catherine
Catherine Di Lorenzo

Counsel

Luxembourg

View profile →

Paul Wagner

Junior Associate

Luxembourg

View profile →

Bossotto Livio
Livio Bossotto

Employment Counsel

Milan

View profile →

van der Leeuw-Veiksha Anna
Anna van der Leeuw-Veiksha

Professional Support Lawyer

Amsterdam

View profile →

02 October 2019

On 1 October 2019, the Court of Justice of the European Union (CJEU) issued its long-awaited decision in the case Planet49 (Case C‑673/17). The decision clarifies the requirements for valid cookie consent under Directive 2002/58 (ePrivacy Directive).

In particular, the CJEU rejects pre-ticked boxes as a means of providing valid consent to the use of cookies. The CJEU clarifies that valid cookie consent must comply with the consent requirements of the General Data Protection Regulation 2016/679 (GDPR). This clarification does not come as a surprise in view of recent regulator guidance on the interplay of the ePrivacy Directive and the GDPR as well as local regulator guidance (for instance from the French CNIL or the UK ICO). The court further holds that when requesting their consent for cookies, users must be informed about both the operation period of the cookies and whether or not third parties are given access to those cookies.

The CJEU objects to tying cookie consent to the participation in an online lottery but, unlike in the opinion of the Advocate General in this case, the court nevertheless leaves open the question of whether users may ‘sell’ their personal data in exchange of a service (e.g. obtained at a lower price) in other circumstances. Guidance on selling personal data in this context is expected from the European Data Protection Board (EDPB), which considered this issue during its plenary meeting on 10 September 2019.

Read the full decision here.

The facts of the case

The case relates to an online lottery organised by Planet49 GmbH (Planet49). Prior to participating in the lottery, users had to enter their name and address and were shown two checkboxes before they could hit the participation button. The first checkbox asked for the users’ consent to receiving marketing information from selected sponsors and partners. This checkbox was not pre-ticked. The second checkbox, however, was pre-ticked. It related to the users’ consent to the use of cookies for advertising purposes and analytics. It was only possible to participate in the lottery if at least the first checkbox had been ticked.

In the description next to the second checkbox, users were given brief information on the cookies’ purposes, on the provider of the web analytics service, on the fact that users could delete the cookies at any time and that it would be Planet49 who sets the cookies. By clicking on a link in the description (“You can read more about this here”), users were given further details on the cookies placed, including a short description of the functioning of the cookies and the fact that the cookies would track users on the websites of advertising partners who registered for the web analytics service in question. The website further specified that no user profiles involving multiple advertising partners would be created.

The Federation of German Consumer Organisations took Planet49 to the German courts, claiming that the concerned declarations of consent were not compliant, among others, with the German transposition of the ePrivacy Directive. The Bundesgerichtshof (Federal Court of Justice) referred several question to the CJEU, including in particular whether pre-checked boxes constitute valid cookie consent.

A pre-ticked checkbox is not a means of obtaining valid consent

The CJEU established that the consent required under the ePrivacy Directive for storing or accessing cookies must comply with the requirements for consent under the GDPR. Although not referred to by the court, this confirms the EDPB’s position in its Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR.

In accordance with the GDPR, consent must be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Thus, consent that does not comply with the requirements of the GDPR may not be relied upon for the purposes of the ePrivacy Directive.

The CJEU found several issues with regard to a pre-ticked checkbox as a means of obtaining valid consent to the use of cookies, such as the one used by Planet49 in its online lottery. First, if the user must take action by un-ticking the checkbox to object to the use of cookies, and not the other way around, this does not constitute an affirmative behaviour as required under the ePrivacy Directive. Moreover, if the user participates in the lottery without un-ticking the checkbox, one does not know whether or not the user really acknowledged the checkbox. In this sense, one cannot be sure that the user has made an informed choice.

Planet49 argued that a valid consent is given on the part of the user, not when he does not unclick a pre-formulated declaration of consent but when he actively clicks on the participation button for the online lottery. However, the CJEU dismissed this argument on the basis that consent must be specific to the processing of personal data concerned and may not be derived from an indication of wishes having a different objective. Thus, in the circumstances at hand, participation in the lottery and consent to cookies could not be tied together.

As a result, it does not constitute a valid consent within the meaning of the ePrivacy Directive in conjunction with the GDPR if the storage of cookies or access to information already stored on user’s terminal equipment (such as cookies) is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent.

The ePrivacy Directive applies irrespective of whether the information stored or accessed constitutes personal data

The CJEU further confirmed that the objective of the ePrivacy Directive consists in protecting the users against any interference with their private life, irrespective of whether this interference concerns or not personal data. Furthermore, the ePrivacy Directive refers to the ‘storing of information’ and ‘the gaining of access to information already stored’, without qualifying this information as personal data. Thus, it does not make a difference whether the information (or cookie) stored or accessed constitutes personal data for the purposes of the ePrivacy Directive.

The information obligation under the ePrivacy Directive also includes the cookie operation period and the question of whether third parties are given access to the cookies

By reference to the fairness principle while processing personal data, the CJEU held that in a situation such as in the case at hand, where cookies are used to collect information for advertising purposes in respect to the products of the partners of the online lottery, the duration of the operation of a cookie and the question of whether third parties are given access to the cookies are to be included as part of the clear and comprehensive information required under the ePrivacy Directive.

Pursuant to the CJEU, this also follows from the GDPR, the information requirements of which must be complied with when storing or accessing cookies in the terminal equipment of the user. In accordance with these requirements, the information to be provided must contain both the duration of the operation of cookies and whether or not third parties have access to those cookies.

Key takeaways: Cookie usage must comply with the GDPR

The Planet49 case confirms the approach of the EDPB and national data protection authorities, without, however, mentioning these positions. The court asserts that consent for using cookies and other online tracking methods and techniques (e.g. flash cookies, tags, scripts, pixels, device fingerprinting, etc.), despite being currently governed by special legal norms of the ePrivacy Directive, do not escape the requirements for consent as set out in the GDPR. More specifically, when using cookies on your website that require consent:

  • You should review your cookie consent mechanism and specifically review the mechanism on the use of pre-ticked boxes. Please note that the use of pre-ticked consent boxes does not lead to valid cookie consent; and
  • You should review your cookie policy and make sure that users receive information, among others, about the duration of the operation of cookies as well as whether third parties are given or not access to these cookies.

Finally, the CJEU recalled that EU law must normally be given an autonomous and uniform interpretation throughout the EU. By this statement, the court acknowledged, yet implicitly, the different transpositions of the ePrivacy Directive and diverging guidance from the national data protection authorities in the various Member States. These differences may cause legal uncertainty when operating in more than one Member State. Hopefully, the EDPB or the upcoming ePrivacy Regulation will address issue.