On October 1, 2019 the Court of Justice of the European Union ("CJEU") decided that a pre-ticked checkbox does not constitute valid consent for cookies – irrespective of whether the information stored in the cookie contains personal data or not. The CJEU further ruled that the information on cookies must include information on the storage period of the cookie and, whether third parties have access to cookies.1
Companies that have not done so, are well advised to revisit their cookie banners and cookie notices in order to make sure that these are compliant.
1. Background of the decision
The German Federation of Consumer Organisations (Bundesverband der Verbraucherzentralen und Verbraucherverbände) issued a cease and desist letter to Planet49 GmbH, a company offering online-sweepstakes, claiming, inter alia, to cease obtaining consent for cookies via a pre-ticked checkbox in connection with online promotional games. In order to participate in a sweepstake, users had to enter their name and address. The website contained, inter alia, a pre-ticked checkbox accompanied by a wording saying that the user consents to the placement of a cookie that allows the provider to analyse the browsing and usage behaviour on websites of partners and thus, to provide tailored marketing ads regarding the partners' products to the user. Reference to a notice was made, informing that the cookie includes a unique identifier that is assigned to the registration data and that the cookie stores certain information if the user visits the websites of advertising partners. Since the cease and desist letter remained unsuccessful, the German Federation of Consumer Organisations filed a lawsuit against Planet49 GmbH. The Federal Court of Justice asked the CJEU in the context of a preliminary ruling procedure on the interpretation of the relevant provisions of the ePrivacy Directive (Directive 2002/58/EC2 as amended by Directive 2009/136/EC3).
a. Storing cookies requires the users' active consent
The CJEU decided that obtaining consent by way of a pre-ticked checkbox does not constitute valid consent. The CJEU reasoned that Art. 5 para. 3 of the ePrivacy Directive requires "active behavior":
- Art. 5 para. 3 ePrivacy Directive stipulates: "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent (…)." Since the ePrivacy Directive does not contain further information on how to obtain consent, the CJEU referred to recital 17 of the ePrivacy Directive which states that "consent of a user or subscriber (…) should have the same meaning as the data subject's consent as defined and further specified in Directive 95/46/EC."
- Citing Art. 2 lit. h of the Data Protection Directive4, which stipulates that 'the data subject's consent' "shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed", the CJEU followed the Advocate General's opinion5 regarding the interpretation of 'indication'. The CJEU decided that "the requirement of an ‘indication’ of the data subject's wishes clearly points to active, rather than passive, behaviour" and that "consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user". The CJEU further argued that it would be impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox.
- The CJEU referred to the initial wording of Art. 5 para. 3 ePrivacy Directive which provided only for the requirement that the user had the 'right to refuse' the storage of cookies and pointed out that Directive 2009/136/EU introduced the amendment by replacing 'right to refuse' by 'given his or her consent'.
- Although the case stems from 2013, the CJEU took into consideration the General Data Protection Regulation ("GDPR")6because the claim asked to cease the respective consent in the future. The CJEU outlined that the GDPR now expressly requires active consent, referencing Art. 4 No. 11 and Art. 6 lit. a GDPR and in particular recital 32 which requires "ticking a box when visiting an internet website" and expressly states that "silence, pre-ticked boxes or inactivity should not therefore constitute consent".
b. No difference whether or not the information stored or accessed on a website user’s terminal equipment is personal data
In the case at stake the cookie contained personal data because of the unique identifier used and assigned to registration data.
However, the CJEU made clear that active consent is required irrespective of whether the information stored in the cookie contains personal data or not. The CJEU noted that Art. 5 para. 3 of the ePrivacy Directive refers to "the storing of information" and "the gaining of access to information already stored", without characterising that information or specifying that it must be personal data. The CJEU argued by following the Advocate General's opinion that the provisions aim "to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data".
c. Information on duration and third party access
Last but not least the CJEU ruled that the information the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies. The CJEU reasoned as follows:
- Art. 5 para. 3 of the ePrivacy Directive requires that the user concerned has given his or her consent, "having been provided with clear and comprehensive information, 'in accordance with Directive [95/46]', inter alia, about the purposes of the processing".
- Art. 10 of the Data Protection Directive requires to inform about "any further information such as the recipients or categories of recipients of the data in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject". Although this does not expressly include the duration, information on the duration of the operation of cookies is required because Art. 10 Data Protection Directive does not list the required information exhaustively and the duration required to be "fair processing".
- Art. 13 para. 2 lit. a GDPR requires informing "about the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period".
3. Context of the Decision
Against the background of the wording of the ePrivacy Directive, the wording of the GDPR and the Advocat General's opinion in March 2019, the decision of the CJEU does not come as a surprise.
The requirement to inform about the duration of the cookie and, whether third parties have access to the information stored in the cookies does also not come as a surprise, since the Art. 29 Working Party has already been recommending that in 2013.8
The decision refers to cookies that track the usage behaviour in order to provide tailored advertisement. However, since the statements of the CJEU regarding the interpretation of "consent" and "information vs. personal data" are quite general, it is likely that the same applies for other cookies e.g. for statistical purposes or cookies relevant to set preferences. However, regarding strictly necessary cookies, consent is not required since Art. 5 para. 3 ePrivacy Directive states: "This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service'."
4. Open Topics
Although the decision sheds some light into the requirements for cookie consent and cookie information, many questions remain unanswered, for example:
- The CJEU did not decide on when consent is "freely given" within the meaning of Art. 7 para. 4 GDPR (however, the CJEU pointed out that they were not asked to decide on that). Art. 7 para. 4 GDPR stipulates the socalled "prohibition of bundling of consent", which is one of the most debated provisions in the GDPR. The Higher Court of Frankfurt9 recently decided that it is permissible to tie the participation in a sweepstake to consent to marketing to the provision of personal data without dealing with the issues related to Art. 7 para. 4 GDPR. It would have been interesting to see the CJEU's opinion on whether the user can "pay" with his personal data for services that are free of charge.
- The CJEU did not decide on consent for different types of cookies. It remains unclear, how granular consent needs to be, i.e. is it required to obtain consent for each type of cookie or is it sufficient to obtain one consent?
In order to be able to implement a consistent approach in the EU, it would be helpful if the European Data Protection Board issued a detailed guidance for all Member States - or if the ePrivacy Regulation picking-up this issue made progress.