On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a preliminary ruling in a case that made its way from the Federal Court of Justice in Germany (FCJ) regarding the validity of user consent systems for cookie data storage via pre-ticked checkboxes, and also on the amount of information that must be divulged to users prior to such consent being given (the “Ruling”).
According to the Ruling, the consent given by a website user to the storage of and access to cookies is not validly constituted by way of a pre-checked checkbox which the user must deselect to refuse granting such consent.
Further, the CJEU found, users should be presented with clear and complete information beforehand, which must, among other things, include information on the intended purposes of any data processing, cookie duration, and the ability of third-parties to access such cookies.
Prior court dispute and the reasoning behind the ultimate verdict
In its Ruling, the CJEU stated that giving consent requires active consideration on the part of the user. Further, the CJEU noted that such consent must be specific, i.e. the fact that a user selects a button to participate in a promotional lottery does not sufficiently construe that the user validly gave their consent to the storage of cookies.
The Ruling primarily concerns the interpretation of the word “consent” and the requirements stipulated in the Privacy and Electronic Communications Directive 2002/58/EC (also known as the “ePrivacy Directive”). These rules are valid even in cases when cookies do not contain personal information within the meaning of the General Data Protection Regulation (“GDPR”). In the event that cookies contain information enabling the identification of a specific individual, additional GDPR requirements must be considered.
The German and Czech implementation of the ePrivacy Directive
The ePrivacy Directive requires a so-called “opt-in” consent for cookies – meaning a requirement for users to give their active consent to the storage and accessing of cookies (with the exception of certain types of cookies necessary for the functioning of a website and the provision of services that may be stored without consent). The “opt-in” consent system was introduced in an amendment to the ePrivacy Directive in 2009; the original version of the ePrivacy Directive implemented in 2002 contained a so-called “opt-out” system in relation to cookies – meaning the ability to store and access cookies is automatically granted unless the user specifically opts to refuse this.
The “opt-out” system for cookies was also adopted by the German and Czech legislatures in accordance with the original version of the ePrivacy Directive. Even after the amendment of the ePrivacy Directive (requiring “opt-in” consent for cookies) the former opt-out system was retained by both countries. This means that current Czech and German legislation does not reflect the “opt-in” consent requirement under the ePrivacy Directive.
Given that the “opt-out” system is something of an exception within the member states of the European Union due to its incompliance with the ePrivacy Directive, in cases with a trans-national character, it is advised that the stronger “opt-in” consent is sought.
Does the CJEU ruling represent a major development?
Despite the fact that the Ruling’s central findings are not a game changer in the EU context, and are not directly applicable to the Czech Republic due to the “opt-out” consent required by local laws, the Ruling can nonetheless be characterised as representing a debt on the part of the Czech Republic, incurred as a result of its incorrect transposition of the ePrivacy Directive into its national statute books.
As already noted, the Decision relates to a preliminary ruling submitted by the German Federal Court of Justice. Due to the fact that the German legislature also failed to adopt the “opt-in” consent requirement set forth by the ePrivacy Directive, the German Federal Court of Justice’s future rulings in this case will undoubtedly be of great interest, including with respect to how it might rule on the apparent conflict between German law and the ePrivacy Directive and the applicability of GDPR.
In its ruling, the Court of Justice of the European Union also noted that privacy protections addressed in the ePrivacy Directive apply to all data stored within an end user’s device, irrespective of whether these concern personal data or not, and are primarily designed to protect users against the risk of covert identifiers or other tools being used within the end-user devices. Indeed, such conduct could be deemed to represent unfair commercial practices by competition or consumer protection authorities – such as the Italian Competition Authority (ICA) penalising Facebook in 2018 with a EUR 10m fine for unfair commercial practices for using its subscribers’ data for commercial purposes.
The Ruling also underscores the need to provide full and complete information to users prior to their giving consent, including information on the operational duration cookies and the ability of third-parties to access cookies. Such information should be provided in a clear and plain language so as to enable users to fully understand the given consent. At present, information on the operational cookies is often missing from the texts of cookie consent forms.
The EU is currently debating adopting a new ePrivacy regulation to replace the current ePrivacy Directive, which will also address the current problem of conflicting laws in the Czech Republic and Germany.