On 1 October 2019, the Court of Justice of the European Union (CJEU) issued a judgment stating that website operators wishing to store cookies on a user’s device must obtain active, freely given, specific, informed and unambiguous (i.e. GDPR-level) consent. Specifically, the court ruled that opt-out consent, by way of a pre-ticked checkbox, is insufficient in order to obtain consent for storage of cookies.
The case involved Planet49, an online gaming company. Users wishing to participate in an online sweepstake hosted by Planet 49 were presented with two checkboxes:
- The first checkbox requested confirmation from the user as to their acceptance of marketing emails from sponsors and partners of Planet 49. This checkbox was empty, requiring users to actively opt-in to such communications; however, the user could not participate in the lottery without ticking and accepting marketing communications from a certain number of partners or sponsors.
- The second checkbox, containing a pre-selected tick, noted the users’ consent to Planet49’s use of web analytics. In other words, this second pre-ticked checkbox was intended to confirm users’ acceptance of Planet49’s placement of cookies on the users’ devices to collect information about their behaviour on the websites of advertising partners.
Questions brought before the CJEU
The questions referred to the CJEU concerned Directive 2002/58 (the ePrivacy Directive), the Data Protection Directive 95/46 (the DPD), and the General Data Protection Regulation 2016/679 (the GDPR):
|Does a pre-selected checkbox that the user must actively uncheck to prevent giving their consent (opt-out), amount to a valid consent under the ePrivacy Directive, in conjunction with the DPD and/or the GDPR?||Pre-ticked boxes to obtain cookie consent do not constitute a valid consent under the ePrivacy Directive, nor the DPD nor the GDPR. Consent must be given in an “active” way.|
|Does it matter whether the information stored or accessed via the cookies is personal data?||No, it doesn’t matter whether cookies process personal data or not. Unambiguous, active consent is required either way.|
Why does this matter?
This ruling is another example of authorities tightening the rules around cookie consent. The CJEU’s judgment has confirmed the following:
- Consent under GDPR must be the result of a user’s active behaviour. Pre-ticked boxes make it objectively impossible to ascertain whether the user has consented, as you cannot exclude the possibility that the user has not read the information (or noticed the checkbox). Interestingly, the ruling also confirms that active consent is required under the ePrivacy Directive, regardless of whether cookies involve the processing of personal data or not. Thus, ePrivacy rules must protect the user’s terminal equipment or devices against any form of interference, irrespective of the legal classification of the information stored or collected on them.
- The consent given by a user to participate in a promotional lottery (the first checkbox) is not sufficient to consider that such user gives their consent for the setting of cookies on their device (the second checkbox). Consent must be specific, and cannot be inferred from an indication of the individual’s wishes for other purposes. However, where a distinct statement or indication of the data subject’s wishes is presented, that could be a valid way of obtaining consent (i.e. a statement asking separately to accept the terms and conditions on the one hand, and the processing of personal data on the other hand).
The Court was not asked, and therefore did not rule on, whether consent is “freely given” when the individual is required to accept processing of personal data for advertising purposes in order to participate in a promotional lottery. The Court did not go so far as the Advocate General to provide its analysis on this specific issue and thus left open an aspect with significant implications for ad-funded content and other “paywall” systems.
The CJEU reiterated that cookies necessary for the purpose of carrying out the transmission of a communication, or otherwise strictly necessary in order to provide a service, do not require consent.
What should companies be doing?
This CJEU ruling will have an impact on almost all website operators. The key practical takeaways for website operators can be summarised as follows:
- Amend the cookies policy or cookies consent in order to inform the user about the lifetime / duration of cookies.
- Amend cookies policy or cookies consent in order to inform the user about the third parties having access to cookie information. A general statement that third parties may have access to cookie information is not sufficient. It is necessary to identify each third party individually.
This judgment serves to reinforces the understanding already reached in the UK, Netherlands and France, where data protection authorities have already issued guidance confirming that the placing of cookies requires active, GDPR-level, consent.
In Germany, the judgment shines a new light on a very specific issue going beyond “implied consent” and “pre-ticked boxes”.
- The German Telemedia Act (Telemediengesetz) still allows pseudonymous profiling (including the therefore necessary placing of cookies) for marketing and customization purposes on an opt-out basis.
- If, as a consequence of the CJEU judgement, this provision is considered out of step with the “active consent” requirement enshrined in the ePrivacy-Directive, and therefore inapplicable (which appears likely), then the placing of cookies in Germany would be comprehensively regulated by the GDPR, since European directives cannot directly apply vis-á-vis
- As the GDPR does not envisage a rigid opt-in requirement like that under the ePrivacy Directive, it would have to be assessed on an individual basis whether a profiling measure in fact requires the consent of the data subject, or can be still based on legitimate interests of the website operator or another party. Also, unlike the ePrivacy Directive, the GDPR would only apply where the data stored in a cookie would be classified as personal data.
In any case, it seems likely that this ruling will encourage enforcement action by local authorities against the numerous non-compliant website operators.