News & Insight
Planet 49 Judgment – takeaways for Cookie Monsters
Anyone doing business online is using cookies or similar bits of tech – i.e. data created by a website and then stored on the user of that website’s browser (to feed back to the originating website details of where the user goes on the internet, to capture her user names and passwords, to store her preferences, and so on…).
This month the Court of Justice of the European Union (the “CJEU”) handed down its much-anticipated Judgment in the Planet 49 case.
The Judgment looked at cookie consent and compliance under the General Data Protection Regulation 2016/679/EU (“GDPR”) and the Privacy and Electronic Communications Directive 2002/58/EC (“e-Privacy Directive”).
Key finding unsurprising
The CJEU’s decision is not surprising: pre-ticked boxes are insufficient to obtain consent from website users. The Judgment also confirms that consent must be freely given, specific, informed and unambiguous.
Planet49 GmbH (“Planet49”), a German gaming company, organised a promotional lottery in 2013. To enter the lottery draw, website users had to enter their name, address and postcode. Below the input fields for their address, they were presented with two explanatory statements accompanied by checkboxes, as follows:
- The first checkbox (unticked): required the user to agree that Planet49’s sponsors and partners could contact them with marketing by post, phone, email and/or SMS; and
- The second checkbox (pre-ticked): required the user to agree to Planet49 placing cookies on their device using a web analytics service called Remintrex. (This would enable Planet49 to analyse their surfing and use behaviour on websites of advertising partners for Remintrex to use for interest-based advertising.)
Court’s key findings
A pre-ticked checkbox cannot amount to valid consent under the e-Privacy Directive and the GDPR
The CJEU ruled that a pre-ticked checkbox which a website user could un-tick to opt out could not legally amount to valid consent under the e-Privacy Directive and the GDPR.
Consent must be “freely given, specific, informed and unambiguous” in accordance with Article 4(11) of the GDPR. The CJEU further argued that a pre-ticked checkbox could not be considered consent because it would be impossible to ascertain whether a website user had given their consent, or whether they had simply not noticed the checkbox and unknowingly given their consent by not unticking it.
Active consent is required for all cookies, regardless of whether or not personal data is accessed and stored
The CJEU noted that Article 5(3) of the e-Privacy Directive refers to the storing and access to information already stored without characterising that information or specifying that it must be personal data.
The CJEU therefore takes the view that all cookies, including strictly necessary reach measurement or tracking cookies, require active consent (in accordance with the GDPR’s definition for consent) before they can be set by the website publisher.
Website publishers must provide certain information about the cookies they use
The CJEU ruled that website publishers must provide clear and comprehensive information to website users which is sufficiently detailed to help them understand the function of the cookies that are set on their device. Specifically, this should extend to the duration of the cookies and whether third parties are given access to them.
Issues not addressed
Whilst the Judgment provides some helpful clarification on the requirements for cookie consent, the CJEU purposefully did not consider whether consent to the processing of personal data for advertising purposes can be “freely given” where such consent is a prerequisite to that user’s participation in the lottery.
This specific issue was not referred by the Federal Court and the CJEU did not deem it appropriate to consider the point. Given the increasing use of cookie walls as consent mechanisms, a clear ruling on this would have been useful particularly as website publishers start to review their consent mechanisms following the Planet49 decision.
What should you do next?
There are various steps that website operators can take following the CJEU’s ruling:
- Take this opportunity to review all of your consents to ensure they meet GDPR standards. They should be specific to the purpose for which consent is being obtained and unbundled from other consents (i.e. consent must be obtained separately for each purpose).
The Planet49 decision is a useful reminder to businesses that they should take cookie compliance seriously and look at their current practices to ensure they are meeting the applicable rules.
The Judgment clarifies the standard of consent that is expected and confirms the link between the GDPR and the e-Privacy Directive.
This piece was researched and prepared by Victoria Clement with input from Husna Grimes.
All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website. None of the above constitutes legal advice. None of the above should be relied upon. Always seek your own independent professional advice.