In the so-called Planet49-judgment (C-673/17) the Court of Justice of the EU (hereafter: ‘the Court’) recently ruled on the way in which consent for the storage of tracking cookies must be granted by a website visitor. Below you will find a desciption of the most important points from this judgment and is discussed what this judgment means in practice.
The Court defines cookies as text files which the provider of a website stores on the website user’s computer which that website provider can access again when the user visits the website on a further occasion, in order to facilitate navigation on the internet or transactions, or to access information about user behaviour.
Planet49 has organised a promotional lottery on its website. Users wishing to take part in that lottery were required to enter their postcodes, names and addresses.
Beneath the input fields were two bodies of explanatory text accompanied by checkboxes. Through the first checkbox – which was not pre-checked – users could give consent to be contacted by sponsors and cooperation partners of Planet49 to keep them informed about offers. By means of the second checkbox – which was pre-checked- users gave permission to place cookies in order to analyse their surfing and use behaviour on the websites of Planet49’s advertising partners. Participation in the lottery was only possible when at least the first checkbox was checked.
The German Federation of Consumer Organisations argued before the German courts that the granting of consent by means of both check boxes did not meet the legal requirements. Ultimately, the case ended up before the Bundesgerichtshof, which asked a number of preliminary questions to the Court, among other things because it doubted whether Planet49 had obtained legally valid consent for the placement of cookies.
Because during this procedure the Privacy Directive 95/46 had been replaced by the General Data Protection Regulation (‘GDPR’), the questions asked were answered on the basis of both the Privacy Directive and the GDPR.
Although it was not disputed in this case that personal data were processed by means of the cookies in question, the Court holds that this is not relevant to the question of whether consent should be sought for the placement of cookies. After all, the Privacy and Electronic Communications Directive 2002/58 makes no distinction between personal data and other data.
In the Netherlands, the provisions from aforementioned Directive that are relevant to this case have been implemented in the Dutch Telecommunications Act.
The Court of Appeal further observes that Article 5(3) of the Privacy and Electronic Communications Directive does not contain any indications about the way in which the consent must be granted. The considerations of this directive do show that the concept of consent has the same meaning as the concept of consent in the Privacy Directive and the GDPR.
This means that it must be a “freely given specific and informed indication of wishes.”
According to the Court, the requirement of an ‘indication’ of the data subject’s wishes clearly points to active, rather than passive, behaviour. However, consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited.
The concept of consent under the GDPR is even more stringent when compared to the Privacy Directive. According to the GDPR consent is a “freely given, specific, informed and unambiguous of the data subject’s wishes”. According to the Court, the requirement of unambiguity can also only be met if the user clearly expresses his consent through active behavior on the part of the user. Moreover, recital 32 expressly states that “silence, pre-ticked boxes or inactivity” should not constitute consent.
The Court adds that the indication must be specific in the sense that it must relate specifically to the processing of the data in question. The consent for the placement of cookies cannot be inferred from an indication of the data subject’s wishes for other purposes. In this case, this meant that the user had not validly given consent to the storage of cookies by clicking on the button to participate in the promotional lottery (the first check box). This means that consent for the storage of cookies must be granted by means of a separate check box. With this judgment, the Court of Appeal seems to agree with the conclusion of A-G Szpunar, who remarked that consent must not only be given actively, but also separately. The activity of a user on the internet (in this case: participation in a lottery) and the giving of consent cannot, in his opinion, form part of the same action.
Whether the above also means that separate consent must be granted for each type of cookie (e.g. tracking cookies, analytical cookies, third party cookies), as is currently the case on many websites, does not, in our opinion, follow specifically from this judgment.
- Interim conclusion
All in all, the Court considers that the user’s consent to the placing and consultation of cookies on his equipment has not been validly granted when a standard pre-checked checkbox has been used which the user must uncheck if he refuses to give his consent.
Obligation to provide information
Finally, the Court of Appeal also ruled that the website provider must inform users, among other things, about the duration of the operation of cookies and whether or not third parties may have access to those cookies. This information obligation also applies when no personal data are processed by means of the cookies.
In a situation where, as in the present case, the purpose of cookies is to collect information for advertising purposes relating to products from partners of the organiser of a promotional lottery, the duration of the operation of cookies and whether or not third parties may have access to these cookies is part of the clear and comprehensive information to be provided to the user in accordance with Article 5(2) of the Privacy and Electronic Communications Directive.
According to the Court, this interpretation is confirmed by Article 13(2)(a) of the GDPR which provides that the controller must, in order to ensure fair and transparent processing, provide the data subject with information relating, inter alia, to the period for which the personal data will be stored, or if that is not possible, to the criteria used to determine that period.
What does this mean in practice?
We recommend that website providers re-examine their consent texts for the storage of cookies, as legal consent may not be legally obtained. This could lead to substantial fines.
Please note that users’ consent is not required for all types of cookies. Consent is not required for the placement of functional cookies or other cookies that invade the privacy of users on a minimum level. However, consent is always required for the placement of tracking cookies, which enable the tracking of surfing behaviour of website visitors over a longer period of time over several websites. For analytical cookies, this differs from case to case.
- How should a statement of consent look like in practice?
A good example of this can be found on the website of the Autoriteit Consument & Markt (‘ACM’, the Dutch supervisor of the Telecommunications Act):
|nmstat||Cookie is placed by the web analytics package SiteImprove. This can be used to determine whether the visitor is new or has visited the site before.||1000 days|
|siteimproveses||Cookie is placed by the web analytcs package SiteImprove. This records the orde in which webpages have been viewed.||session|
If it is assumed that consent is required for the placement of these cookies – which is not the case according to the ACM – the following sentence could be placed below this text:
[ ] By checking this box, I consent to the use of the aforementioned web analytics cookies.
Furthermore, in this judgment, the Court did not comment on the question of what exactly is meant by “freely given” consent. This is important in order to be able to answer the question whether website providers are allowed to use cookie walls. Earlier this year, the Dutch Data Protection Authority launched an opinion in which it indicated that cookiewalls are not allowed.
However, the Court has not yet ruled on this question. It is therefore not certain that this interpretation of the Dutch Data Protection Authority is correct. Unfortunately, the Court explicitly noted in this case that the question of whether the consent for the storage of cookies has been “freely given”, since users can only participate in the promotional lottery (i.e. the underlying service) if they also consent to the storage of tracking cookies, goes beyond the scope of this procedure.
In short, there is still uncertainty about the exact requirements for validly obtaining consent. In this judgment, the Court did clarify what is meant by “unambiguous”, “specific” and “informed” consent, but the Court did not clarify what degree of autonomy a user must have when deciding whether or not to give consent in order to be able to speak of “freely given” consent.
The expectation is, however, that the Court will soon give its judgement on this in the Orange Romania Case (C-61/19), in which two preliminary questions were asked to the Court at the beginning of this year, among them:
For the purposes of Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, what conditions must be fulfilled in order for an indication of wishes to be regarded as freely given?
- e-Privacy Regulation
The e-Privacy Regulation will replace the Directive on privacy and electronic communications in the not too distant future. This is relevant, because this judgment of the Court is still based on an interpretation of the Privacy and Electronic Communications Directive and not on the upcoming e-Privacy Regulation. However, the text of the e-Privacy Regulation has still not been definitively adopted. The Council’s last text proposal was published on 17 October 2019. It is expected that the Council’s final text will be adopted before the end of this year, after which the trialogue can begin. This judgment is likely to have an impact on the ongoing negotiations on the text of the e-Privacy Regulation.