On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a final ruling in the Planet49 case (case C-673/17 – available here).

Following a request for preliminary ruling from the German Federal Court of Justice, the Bundesgerichtshof, the CJEU interpreted the consent requirement of Directive 2002/58/EC, as amended by Directive 2009/136/EC (hereafter the “e-Privacy Directive”) in light of former Directive 95/46/EU (hereafter the “Data Protection Directive”) as well as in light of its successor – the General Data Protection Regulation (GDPR).

The Court made it clear that the placing and reading of tracking cookies on a user’s terminal equipment requires an active and unambiguous consent of the user. A pre-ticked checkbox does not meet these requirements and therefore does not constitute a valid consent. Also, the Court underlined that consent must be specific. In the case at hand, the act of selecting a button to participate in a promotional online lottery cannot be construed as consent of the user to the storage of cookies.

Moreover, the Court clarified that these requirements regarding the consent of the user for usage of cookies are applicable regardless of whether the information stored or consulted on the user’s device constitutes “personal data.”

Finally, the Court held that cookie consent must be “informed” as per the GDPR, which means that service providers must also provide information on the duration of the operation of cookies, as well as in relation to any third party access to those cookies.

The facts

Planet49, an online gaming company, organized an online promotional lottery. Before participating, website users were provided two check-boxes. The first was unchecked and solicited consent for receiving promotional materials from sponsors and partners of Planet49. Participation in the lottery is possible only if at least the first checkbox is ticked. The second, pre-checked box solicited consent for the installation of cookies for advertising purposes on the terminal equipment of the website user.

These consent gathering practices were challenged before a regional court in Frankfurt am Main by a consumer rights organization – the Verbraucherzentrale Bundesverband. Following an appeal, the case eventually made its way to the German Federal Court of Justice. The latter refers the case to the CJEU for a preliminary ruling asking for clarification on (a) the legality of obtaining consent for the use of cookies with a pre-ticked checkbox under the e-Privacy Directive in light of the Data Protection Directive and the GDPR; and (b) what information a service provider has to provide to end users when making use of cookies.

The judgement of the Court

Under the e-Privacy Directive, storing information or gaining access to information already stored on a user’s terminal equipment (i.e., placing and reading cookies)[1] requires the informed consent of the user. Such consent must be interpreted in accordance with the Data Protection Directive – now the GDPR. From this, it follows that that consent must be “actively given,” “unambiguous,” and “specific.”

“Unambiguous”

Because a pre-ticked checkbox does not involve active behavior by the user, it also cannot be considered unambiguous under the Data Protection Directive and the GDPR. Indeed, the Court stated that only active behaviour on the part of the data subject with a view to giving his or her consent may be considered as unambiguous consent. With a pre-ticked checkbox, ambiguity remains, as a user might as well have overlooked the checkbox before continuing his or her browsing session. There is also no way of verifying whether such consent was “informed.”

“Specific”

The Court found that consent gathered through a pre-ticked box also cannot be considered specific. Consent must be tied directly to the processing of the data in question and cannot be inferred from the data subject’s wishes for other purposes. The fact that a user selects a button to participate in the promotional lottery organized by Planet49 is not by itself evidence that the user validly gave his or her consent to the storage of cookies.

“Freely given”

The referring court did not raise the issue of whether a user’s consent to the processing of personal data for advertising purposes is considered “freely given” when it is a prerequisite to the user’s participation in a certain information society service (in the case at hand, a promotional lottery). The CJEU could therefore not pass judgement on this interesting topic.

Important take-aways / Relevance for businesses

First, the obligation to obtain consent under the e-Privacy Directive is not limited to personal data. The requirement concerns “the storing of information” or “the gaining access to information already stored in the terminal equipment of a subscriber or user.” . As stated in the Opinion of Advocate General Szpunar, this provision aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data.

Second, the e-Privacy Directive requires that a user giving his or her consent to the placing and reading of cookies has been provided with “clear and comprehensive information, in accordance with [the Data Protection Directive – now the GDPR].” The Court now clarifies that this information provided to the user must also include the duration of the operation of cookies, and whether or not third parties may have access to those cookies.

The reasoning of the court is in line with the prevailing view that cookie consent requires an active behaviour of the user.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

[1] This consent requirement under the e-Privacy Directive does not apply to technical storage or access for the sole purpose of carrying out a transmission or communication, or cookies that are strictly necessary in order for the service provider to provide a service explicitly requested by a subscriber.

 

Print:
EmailTweetLikeLinkedIn
Photo of Maarten Stassen Maarten Stassen

Maarten Stassen is a partner in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection, including the General Data Protection Regulation (GDPR) and cross-border data…

Maarten Stassen is a partner in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection, including the General Data Protection Regulation (GDPR) and cross-border data transfers solutions, as well as on the legal and operational aspects of the digital ecosystem, including Internet of Things (IoT), MedTech, and upcoming technologies such as Distributed Ledger Technology (e.g. Blockchain).

Before joining Crowell & Moring, Maarten was a director in Deloitte’s Cyber practice, as well as the Faculty Leader of the European Privacy Academy. He has been focusing on privacy and data protection law for many years, first as a lawyer in both Spain and Belgium, and later as European Privacy Officer of an international health insurance company.

Photo of Heidi Waem Heidi Waem

Heidi Waem is a counsel in the Brussels office of Crowell & Moring, where she is a member of the firm’s Privacy & Cybersecurity Group. Her practice focuses on privacy and data protection, contract law, market practices and consumer law, and IP/IT.

Heidi…

Heidi Waem is a counsel in the Brussels office of Crowell & Moring, where she is a member of the firm’s Privacy & Cybersecurity Group. Her practice focuses on privacy and data protection, contract law, market practices and consumer law, and IP/IT.

Heidi advises clients on all data protection / privacy & cybersecurity related matters. This includes advising on the establishment of a comprehensive data protection framework; drafting and reviewing relevant notices, policies and contracts; advising on data transfers; assisting in the case of data breach, on pre-litigation issues involving data subject complaints and requests, and in proceedings before the data protection authority.

Photo of Louis Vanderdonckt Louis Vanderdonckt

Louis Vanderdonckt is an associate in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection in the fields of telecommunications and payment services, as well…

Louis Vanderdonckt is an associate in the Brussels office of Crowell & Moring, where he is a member of the firm’s Privacy & Cybersecurity Group. His practice focuses on privacy and data protection in the fields of telecommunications and payment services, as well as on the legal and operational aspects of upcoming technologies such as Distributed Ledger Technology (e.g. Blockchain) and the Internet of Things.

Prior to joining Crowell & Moring, Louis worked as an intern in a specialized data protection and IP law firm and as a junior legal counsel in the payment services industry.