The Court of Justice of the European Union (the ‘CJEU’) has recently delivered an important judgement on the storage of cookies and the requirement of active consent from internet users. It sets an important legal precedent in the ePrivacy area. This article provides a brief overview of the case and takes a look at the key takeaways from the CJEU’s judgement.
Introduction
The internet is something which we cannot live without today and website browsing has become an inherent activity in our everyday lives. We are increasingly being bombarded with information, mainly in the form of adverts, which to most of our surprise contain information about services and products of companies which we then realise we would have recently looked up on the internet. This phenomenon is made possible by a minuscule text file which has been stored on a website user’s device, commonly known as a “cookie”. These cookies are generated by web servers when one accesses an internet page and gathers various types of information used for different purposes, but largely for tracking a user’s activity while browsing the internet.
This is deemed to be an interference in the right to private life. It is, in fact, the aim of European Union (the ‘EU’) legislation on electronic communications, to provide protection to a website user against any interference with his or her private life, in particular from the risk of hidden identifiers or other similar devices, such as cookies, from entering a users’ terminal equipment without their knowledge.
In the Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände ̶ Verbraucherzentrale Bundesverband eV v Planet49 GmbH, (the ‘Planet49 Case’), the CJEU dealt with such an issue. It interpreted legal provisions in the electronic communications privacy context; Directive 2002/58/EC (the ‘e-Privacy Directive’) which are to be read in conjunction with the provisions of Directive 95/46/EC, now the infamous Regulation (EU) 2016/679 (the ‘GDPR’).
Facts of the Case
Planet49, an online German company, made use of a pre-checked checkbox by which website users wishing to participate in a promotional lottery organised by such company, had to consent to the storage of cookies. Planet49’s cookies accessed and collected information in order to promote the products of Planet49’s partners. The German Federation of Consumer Organisations challenged such use, by Planet49, before the German courts.
The German Federal Court of Justice requested the CJEU to interpret the relevant EU law provisions.
The CJEU’s Judgement
The CJEU ruled that the consent required from a website user, in order for information already stored on a website user’s terminal equipment, to be stored or accessed by means of cookies, will not be deemed to be validly constituted by obliging the user to deselect a pre-checked checkbox, in order to refuse his or her consent.
The CJEU also decided that the above applies, irrespective as to whether or not the information stored or accessed on a user’s terminal equipment is deemed to be personal data.
In addition to the above, the CJEU ruled that information which must be furnished to a website user, in accordance with the e-Privacy Directive, must include the time period of how long the cookies will be in operation and whether or not third parties may have access to such cookies.
Implications for entities using cookies
The CJEU ruling clarifies that organisations may provide pre-checked check-boxes, only for those cookies which are strictly necessary.
Organisations having websites and using cookies to gather information on user preference, and for the purposes of statistics and marketing, need to ensure that they obtain valid consent from their website users for such cookie use.
What does valid consent really mean?
The consent required, according to the e-Privacy Directive, examined by the CJEU in the Planet49 case, must be read in conjunction with the GDPR (which repealed the Data Protection Directive).
The GDPR requires that valid consent is freely given, specific, informed and an unambiguous indication of the data subject’s preference, by means of a clear affirmative action.
Any webpages containing a cookie banner merely notifying the website user about the fact that the website makes use of cookies and not giving such user the chance to choose whether or not he/she would like such cookies to be stored on their devices, would not be deemed to be consent which is freely given under the eyes of the law. There must be an element of genuine choice and control.
A cookie banner should contain information about the cookies being used and the sort of information being collected but, as the CJEU has now confirmed, must also include sufficient information as to the period of the operation of the cookies and, if applicable, who may access such cookies.
Most importantly, if organisations wish to rely on check-boxes in order to allow users to indicate their consent, these must not be pre-ticked boxes. The user must make a clear affirmative action, showing their agreement to the processing of their data, which would not be sufficient in the case of silence and/or inactivity.
Obtaining consent and its management
According to the GDPR, if relying on consent, an organisation needs to provide evidence in order to demonstrate that proper consent has been obtained.
It is important that the organisation regularly reviews consent obtained, in particular, where the purpose for which data had been originally collected for has changed.
Conclusions
This judgement of the CJEU is of extreme importance, in particular to all website owners, since it is one of the first that specifically tackles consent in the context of cookies, following the start of the GDPR’s application in 2018.
It further confirms and clarifies that an opt-out approach to obtaining consent for cookies which are not strictly necessary for the functioning of the website, will not suffice and that explicit, active consent is required.
The CJEU, in its judgement, does not discriminate between personal and non-personal data. The judgement handed down in the Planet49 case therefore means that explicit consent is not only required when the information stored or accessed from a user’s device is personal data but also when it is not personal data.
This judgement provides a legal precedent as to the use of cookies and it will be interesting to see any further developments until the e-Privacy Regulation comes into force.
Related publications
