On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a final ruling in the Planet49 case (case C-673/17 – available here).
Following a request for preliminary ruling from the German Federal Court of Justice, the Bundesgerichtshof, the CJEU interpreted the consent requirement of Directive 2002/58/EC, as amended by Directive 2009/136/EC (hereafter the “e-Privacy Directive”) in light of former Directive 95/46/EU (hereafter the “Data Protection Directive”) as well as in light of its successor – the General Data Protection Regulation (GDPR).
The Court made it clear that the placing and reading of tracking cookies on a user’s terminal equipment requires an active and unambiguous consent of the user. A pre-ticked checkbox does not meet these requirements and therefore does not constitute a valid consent. Also, the Court underlined that consent must be specific. In the case at hand, the act of selecting a button to participate in a promotional online lottery cannot be construed as consent of the user to the storage of cookies.
Moreover, the Court clarified that these requirements regarding the consent of the user for usage of cookies are applicable regardless of whether the information stored or consulted on the user’s device constitutes “personal data.”
Finally, the Court held that cookie consent must be “informed” as per the GDPR, which means that service providers must also provide information on the duration of the operation of cookies, as well as in relation to any third party access to those cookies.
Planet49, an online gaming company, organized an online promotional lottery. Before participating, website users were provided two check-boxes. The first was unchecked and solicited consent for receiving promotional materials from sponsors and partners of Planet49. Participation in the lottery is possible only if at least the first checkbox is ticked. The second, pre-checked box solicited consent for the installation of cookies for advertising purposes on the terminal equipment of the website user.
The judgement of the Court
Under the e-Privacy Directive, storing information or gaining access to information already stored on a user’s terminal equipment (i.e., placing and reading cookies) requires the informed consent of the user. Such consent must be interpreted in accordance with the Data Protection Directive – now the GDPR. From this, it follows that that consent must be “actively given,” “unambiguous,” and “specific.”
Because a pre-ticked checkbox does not involve active behavior by the user, it also cannot be considered unambiguous under the Data Protection Directive and the GDPR. Indeed, the Court stated that only active behaviour on the part of the data subject with a view to giving his or her consent may be considered as unambiguous consent. With a pre-ticked checkbox, ambiguity remains, as a user might as well have overlooked the checkbox before continuing his or her browsing session. There is also no way of verifying whether such consent was “informed.”
The Court found that consent gathered through a pre-ticked box also cannot be considered specific. Consent must be tied directly to the processing of the data in question and cannot be inferred from the data subject’s wishes for other purposes. The fact that a user selects a button to participate in the promotional lottery organized by Planet49 is not by itself evidence that the user validly gave his or her consent to the storage of cookies.
The referring court did not raise the issue of whether a user’s consent to the processing of personal data for advertising purposes is considered “freely given” when it is a prerequisite to the user’s participation in a certain information society service (in the case at hand, a promotional lottery). The CJEU could therefore not pass judgement on this interesting topic.
Important take-aways / Relevance for businesses
First, the obligation to obtain consent under the e-Privacy Directive is not limited to personal data. The requirement concerns “the storing of information” or “the gaining access to information already stored in the terminal equipment of a subscriber or user.” . As stated in the Opinion of Advocate General Szpunar, this provision aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data.
Second, the e-Privacy Directive requires that a user giving his or her consent to the placing and reading of cookies has been provided with “clear and comprehensive information, in accordance with [the Data Protection Directive – now the GDPR].” The Court now clarifies that this information provided to the user must also include the duration of the operation of cookies, and whether or not third parties may have access to those cookies.
The reasoning of the court is in line with the prevailing view that cookie consent requires an active behaviour of the user.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.
 This consent requirement under the e-Privacy Directive does not apply to technical storage or access for the sole purpose of carrying out a transmission or communication, or cookies that are strictly necessary in order for the service provider to provide a service explicitly requested by a subscriber.