News & Insight

Data protection October 28, 2019
Planet 49 Judgment – takeaways for Cookie Monsters

Planet 49 Judgment – takeaways for Cookie Monsters

Anyone doing business online is using cookies or similar bits of tech – i.e. data created by a website and then stored on the user of that website’s browser (to feed back to the originating website details of where the user goes on the internet, to capture her user names and passwords, to store her preferences, and so on…).

This month the Court of Justice of the European Union (the “CJEU”) handed down its much-anticipated Judgment in the Planet 49 case.

The Judgment looked at cookie consent and compliance under the General Data Protection Regulation 2016/679/EU (“GDPR”) and the Privacy and Electronic Communications Directive 2002/58/EC (“e-Privacy Directive”).

The CJEU was asked to interpret EU law relating to the use of cookies following a referral from the Federal Court of Justice in Germany.

Key finding unsurprising

The CJEU’s decision is not surprising: pre-ticked boxes are insufficient to obtain consent from website users. The Judgment also confirms that consent must be freely given, specific, informed and unambiguous.

The Judgment also offered some guidance on what website users need to be informed about in relation to a website operator’s use of cookies. Specifically, this should include details of the duration of the cookies and whether third parties will be granted access to these cookies.

Background

Planet49 GmbH (“Planet49”), a German gaming company, organised a promotional lottery in 2013. To enter the lottery draw, website users had to enter their name, address and postcode. Below the input fields for their address, they were presented with two explanatory statements accompanied by checkboxes, as follows:

  • The first checkbox (unticked): required the user to agree that Planet49’s sponsors and partners could contact them with marketing by post, phone, email and/or SMS; and
  • The second checkbox (pre-ticked): required the user to agree to Planet49 placing cookies on their device using a web analytics service called Remintrex. (This would enable Planet49 to analyse their surfing and use behaviour on websites of advertising partners for Remintrex to use for interest-based advertising.)

Users could only participate in the lottery if at least the first checkbox was ticked. They could, however, opt out of the use of cookies if they manually unticked the second checkbox.

Court’s key findings

A pre-ticked checkbox cannot amount to valid consent under the e-Privacy Directive and the GDPR

The CJEU ruled that a pre-ticked checkbox which a website user could un-tick to opt out could not legally amount to valid consent under the e-Privacy Directive and the GDPR.

Consent must be “freely given, specific, informed and unambiguous” in accordance with Article 4(11) of the GDPR.  The CJEU further argued that a pre-ticked checkbox could not be considered consent because it would be impossible to ascertain whether a website user had given their consent, or whether they had simply not noticed the checkbox and unknowingly given their consent by not unticking it.

Active consent is required for all cookies, regardless of whether or not personal data is accessed and stored

The CJEU noted that Article 5(3) of the e-Privacy Directive refers to the storing and access to information already stored without characterising that information or specifying that it must be personal data.

The CJEU therefore takes the view that all cookies, including strictly necessary reach measurement or tracking cookies, require active consent (in accordance with the GDPR’s definition for consent) before they can be set by the website publisher.

Website publishers must provide certain information about the cookies they use

The CJEU ruled that website publishers must provide clear and comprehensive information to website users which is sufficiently detailed to help them understand the function of the cookies that are set on their device. Specifically, this should extend to the duration of the cookies and whether third parties are given access to them.

Issues not addressed

Whilst the Judgment provides some helpful clarification on the requirements for cookie consent, the CJEU purposefully did not consider whether consent to the processing of personal data for advertising purposes can be “freely given” where such consent is a prerequisite to that user’s participation in the lottery.

This specific issue was not referred by the Federal Court and the CJEU did not deem it appropriate to consider the point. Given the increasing use of cookie walls as consent mechanisms, a clear ruling on this would have been useful particularly as website publishers start to review their consent mechanisms following the Planet49 decision.

What should you do next?

There are various steps that website operators can take following the CJEU’s ruling:

  • Review cookie consent mechanisms to make sure that you are not using pre-ticked boxes, soft opt-ins or any other similar settings to obtain consent for your use of cookies. You may, for example, consider implementing a Consent Management Platform (CMP) to manage cookie consent on your website(s) if you do not already use one.
  • Take this opportunity to review all of your consents to ensure they meet GDPR standards. They should be specific to the purpose for which consent is being obtained and unbundled from other consents (i.e. consent must be obtained separately for each purpose).
  • Refresh any cookie audits (or complete an audit as soon as possible) to review your use of cookies in general so that you understand what each cookie is being used for, its duration and whether third parties have access to them. This applies to both first- and third-party cookies. Cookie policies or other relevant information notices should be updated to include these details. You can also identify whether any cookies are no longer required and remove them.

Comment

The Planet49 decision is a useful reminder to businesses that they should take cookie compliance seriously and look at their current practices to ensure they are meeting the applicable rules.

The Judgment clarifies the standard of consent that is expected and confirms the link between the GDPR and the e-Privacy Directive.

This is further supported by recent activity on the draft ePrivacy Regulation, with the latest revisions published by the Presidency of the European Council on 4 October 2019. The latest draft includes amendments which clarify the link to the GDPR when it comes to processing of data collected from the end user’s terminal equipment, such as through the use of cookies.

This piece was researched and prepared by Victoria Clement with input from Husna Grimes.

All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website.  None of the above constitutes legal advice.  None of the above should be relied upon.  Always seek your own independent professional advice.

Humphreys Law

If you would like to contact a member of our team, please get in touch by filling in the form below.

"*" indicates required fields

Humphreys Law