On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a crucial decision impacting the way that consent is obtained on the internet. The judgment relates to Case C-673/17 (Planet49 – a previous post outlining the background can be found here).
In the Planet49 case, the German Federal Court referred a number of questions to the CJEU regarding the validity of consent to cookies placed by a website operating an online lottery. The questions before the CJEU amounted to the following:
1. Does a pre-checked box allow for valid consent to be obtained for the placement of cookies?
2. Does it matter whether information stored or accessed using cookies constitutes personal data?
3. Must users be provided with information concerning the duration of operation of the cookies and whether third parties are given access to them?
Despite the apparent simplicity of the questions, the CJEU’s decision needed to take into account the interaction of various pieces of legislation. The requirement for consent before cookies are placed originates from Directive 2002/58 (ePrivacy Directive), but the requirements for valid consent are now found in the General Data Protection Regulation 2016/679 (GDPR). To complicate matters, the facts and the initial hearing in this case occurred before the GDPR came into effect, when Directive 95/46 (Data Protection Directive) was the applicable law, so the considerations given by the CJEU to the concept of consent were primarily based on the provisions of the Data Protection Directive. However, somewhat surprisingly, the CJEU’s conclusion on what amounts to valid consent under the Data Protection Directive essentially matches the GDPR definition of consent.
Valid Consent for Cookies
In its decision, the CJEU confirms the key aspects for valid consent, namely:
- Consent must be active, rather than passive.
- Consent must be unambiguous. According to the CJEU, “only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.”
- The judgment also confirms that allowing users the chance to opt out by un-checking a pre-checked box does not constitute valid consent since “consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of the website user.”
- Consent must be specific. This means that “it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.”
Given this reasoning, while some commonly used approaches to comply with this obligation (e.g. consenting purely by using a service or remaining on a webpage) are not specifically discussed, it is clear that these would be insufficient.
Unfortunately, the judgment does not address the requirement under the GDPR that consent must be “freely given,” which is disappointing given that this is the most difficult and contentious requirement for valid consent in practice. The judgment also confirms that this standard of consent applies to the placement of cookies irrespective of whether the information stored or accessed on a website user’s terminal equipment counts as “personal data” under the GDPR.
Providing Information about Cookies
The Court concluded that the information that must be provided to users about cookies needs to include the duration of the operation of the cookies and whether or not third parties may have access to them. This conclusion was reached on the basis that the purpose of providing this information is to put the user in a position to be able to give consent in a sufficiently informed manner, comprehending the functioning of the cookies employed and the consequences of providing consent.
The decision does not go so far as to say that service providers must identify third parties by name, so providing details of recipients or categories of recipients of the data will be sufficient – no doubt a great relief for those tasked with drafting “clear and comprehensive” cookie policies and transparency notices. On the cookie duration, the information that must be provided is the period for which the data will be stored, or if that is not possible, the criteria used to determine that period (in line with the transparency obligations contained in the GDPR).
The CJEU’s conclusions are, overall, unsurprising and provide a strong reaffirmation of the standard long upheld by regulators, both under the Data Protection Directive and the GDPR. In reaching these views, the court has ultimately removed any room for error about the appropriate standard for consent when placing cookies. As a result, website operators and regulators alike will now be under pressure to ensure that this standard is upheld going forward.