Cookie consent is one of the central topics in the digital world. Earlier, websites got away with just a pop-up notice that only notified users of the usage of cookies on the site. Now, that is illegal, thanks to the General Data Protection Regulation (GDPR) and ePrivacy Directive 2002/58/EC (ePD), which is also known as the 'EU cookie law.' They make it mandatory for website operators to seek prior consent from the users before using cookies.
User consent has made data protection more efficient. Court of Justice of the European Union’s (CJEU) recent ruling on cookie consent, therefore, makes sense.
This article explores the Planet49 case filed by the German Federation on Consumer Organizations and the CJEU judgment on the cookie consent.
The Planet49 Case Background
Planet49 GmbH, a German online gaming company, in 2013, conducted a promotional lottery on its website. They asked users to give their information, such as name, address, and postcode, to participate in the draw. They were presented with two checkboxes:
- An unticked checkbox that required users to consent to the usage of cookies by Planet49’s sponsors and partners to send promotional offers. Users could not enter the lottery unless they tick the checkbox.
- A pre-ticked checkbox that required users to consent to the usage of advertising cookies set by Planet49 partners. Users could opt-out of it by manually unticking the checkbox.
The German Federal Court of Justice asked CJEU to interpret the EU law on the protection of electronic communications privacy.
CJEU Judgment on Cookie Consent
On Oct 1, 2019, the EU court published its ruling on the case. They based their decisions on GDPR and ePD requirements.
Consent obtained through a pre-ticked checkbox is not valid
Consent obtained should be through the user’s clear and affirmative action. Per Recital 32 of GDPR:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data […] Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.”
CJEU, however, did mention that the decision remains the same for non-personal data as well.
Specific cookie consent
The court stated that:
“data subject’s wishes […] be ‘specific’ in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.”
Informed cookie consent
CJEU declared that the information provided to users should include the duration of the cookies that they will store on their device and if any third party has access to these cookies.
“It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.”
Users must be aware of all the details about the cookies and what consenting to use them will mean. Knowledge of such information will make the decision easy and clear for them.
Read the full text of CJEU judgment here.
The CJEU judgment is a good reminder that cookie consent is not something you should take lightly. If the organizations abide by the data protection principles, then it will not harm them. They can avoid the fines and penalties and the negative impact that it may have on them.
Disclaimer: The purpose of this article is to share general information about the case findings. It does not represent any legal advice.