03 Oct 2019

A key topic in European data protection law is the interaction between the General Data Protection Regulation 2016/679 (the GDPR) and Directive 2002/58/EC (the e-Privacy Directive), and specifically how it affects online advertising involving cookies.  

On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down an important decision relating to the way that consent is obtained under the GDPR and e-Privacy Directive in relation to cookies. A link to the judgment can be found here. While the CJEU has left a core question unanswered, the CJEU’s findings are largely unsurprising and have created certainty concerning the appropriate standard for consent when using cookies.  

The Planet49 case 

The judgment relates to proceedings brought in Germany between the Federal Union of Consumer Organisations and Associations, Germany (the Federation) and Planet49 GmbH, an online gaming company (Planet49).  

Planet49 organised an online promotional lottery. Internet users wishing to take part in the lottery were required to enter their postcodes, which redirected them to a web page where they were then required to enter their names and addresses. As part of the process, Planet49 sought to obtain a consent from the internet user to set certain cookies. The consent featured a pre-checked consent box which the internet user would need to un-check in order to withhold consent. The 'default' option was therefore that consent to the relevant cookies was given, unless the user actively un-checked the box.  

The German Federal Court referred the following questions to the CJEU concerning the validity of the consent mechanism: 

  1. Does a pre-checked box enable valid consent to be obtained for the use of cookies?
  2. Does the law differentiate between those cookies that involve the processing of personal data and those cookies that do not?  
  3. What information does the website operator have to provide to the user to comply with Article 5(3) of the e-Privacy Directive?  Specifically, must users be provided with information concerning (i) the period of operation of the cookies and (ii) whether third parties are given access to the cookies?

Key findings from the CJEU

The CJEU found the following: 

  1. A cookie consent mechanism that uses a pre-checked box which must be unselected by the user in order to refuse consent is not valid consent for the purposes of the e-Privacy Directive.
  2. This standard of consent applies to the use of cookies regardless of whether the information stored or accessed is classified as 'personal data' under the GDPR. 
  3. In relation to the information that must be provided to the user about cookies and the interpretation of Article 5(3) of the e-Privacy Directive, the CJEU confirmed: 
    1. The website operator must ensure the information provided is "…clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed" and 
    2. Article 5(3) must be interpreted such that the information to be provided must include the "duration of the operation of the cookies and whether or not third parties may have access to those cookies".

The unanswered question: Can consent be 'freely given' where a user's consent is a prerequisite to taking part in the online lottery?

As expressly noted by the CJEU, the judgment does not address the question of whether the requirement under the GDPR that consent must be 'freely given' is complied with in circumstances where a user's consent to the processing of his personal data for advertising purposes is a prerequisite to the user taking part in the online lottery. The lack of a view on this is somewhat disappointing as it would have been helpful to have judicial authority on this point.  

Conclusion

The judgment is largely unsurprising and provides helpful judicial authority that is consistent with the approach adopted by the ICO in its guidance on consent and the use of cookies and similar technologies. In light of the clarity brought to this key area by the CJEU's findings, website operators should give serious consideration as to whether their use of cookies is compliant with the judgment.