The Court of Justice of the European Union has confirmed that the requisite consent under Article 5(3) of the e-Privacy Directive (2002/58/EC) to place cookies on a website user’s device is active consent and such consent cannot be obtained on an opt-out basis through the use of a pre-ticked checkbox which the user deselects to refuse consent. 1 That is the case whether or not the information stored or accessed on the user’s equipment is personal data.
On 24 September 2013, Planet49 organised a promotional lottery on the website www.dein-macbook.de. Internet users wishing to take part in that lottery were required to enter their postcodes, which redirected them to a web page where they were required to enter their names and addresses. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first body of text with a checkbox, which did not contain a preselected tick (“the first checkbox”), read:
“I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sectors. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here [hyperlink].”
The second set of text with a checkbox containing a preselected tick (“the second checkbox”) read:
“I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, Planet49 GmbH, sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on a user’s interests. I can delete the cookies at any time. You can read more about this here [hyperlink].”
Participation in the lottery was possible only if at least the first checkbox was ticked.
Reference to the CJEU
The Federation of German Consumer Organisations (the "Bundesverband") sought an injunction requiring Planet49 to cease using such declarations on the grounds that they did not comply with German consumer law and German laws implementing the e-Privacy Directive and the Data Protection Directive (95/46/EC). The case reached the Bundesgerichtshof (Federal Court of Justice, Germany), which decided to refer it to the CJEU for guidance on the interpretation of Article 5(3), which provides that, subject to specific exceptions:
“…the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive [95/46], inter alia, about the purposes of the processing.”
Specifically, the German court questioned whether such consent is validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent. It also queried whether “clear and comprehensive information” included the duration of the operation of the cookies and information as to whether third parties are given access to the cookies.
The CJEU began with the preliminary observation that, under Article 94(2) GDPR, the references to Directive 95/46 in the e-Privacy Directive are to be construed as references to the GDPR. For that reason and because the Bundesverband sought an order to restrain future conduct of Planet49, the CJEU considered that the questions referred must therefore be answered having regard to both Directive 95/46 and the GDPR.
The CJEU said that it was clear from Recital 17 of the e-Privacy Directive that a user’s consent may be given by any appropriate method enabling “a freely given specific and informed indication” of the user’s wishes, including “by ticking a box when visiting an internet website”. Further, Article 2(f) states that “consent” by a user or subscriber corresponds to the individual’s consent in the Data Protection Directive (95/46/EC), which defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
Thus, the CJEU observed, the requirement of an “indication” of the individual’s wishes clearly points to active, rather than passive, behaviour. Consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of a website user.
Further, consent, under Article 2(h) of Directive 95/46, must be given “unambiguously”. In that regard, the CJEU said, it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox or, in any event, whether that consent had been informed.
Additionally, the indication of the individual’s wishes referred to in Article 2(h) must be “specific” in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the individual’s wishes for other purposes. The fact that, in the current case, a user selected a button to participate in the promotional lottery organised by Planet49 could not therefore be sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.
For these reasons, the CJEU concluded that consent under Article 5(3) “is therefore not validly constituted if the storage of information, or access to information already stored in an website user’s terminal equipment, is permitted by way of a checkbox pre-ticked by the service provider which the user must deselect to refuse his or her consent”. The court was also clear that that decision was unaffected by whether or not the information stored or accessed on the user’s equipment is personal data.
Consent and the GDPR
As regards the GDPR, the definition of consent is even more stringent in that it requires a “freely given, specific, informed and unambiguous” indication of the individual’s wishes in the form of a statement or “clear affirmative action” signifying agreement to the processing of the personal data relating to him or her. The CJEU acknowledged that, according to Recital 32 GDPR, giving consent could include ticking a box when visiting an internet website. On the other hand, Recital 32 expressly precluded “silence, pre-ticked boxes or inactivity” from constituting consent.
Clear and comprehensive information
On the question of “clear and comprehensive information”, the CJEU agreed with its Advocate General that this implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.
The court considered that in the circumstances of the current case where cookies aim to collect information for advertising purposes relating to the products of partners of the organiser of a promotional lottery, the duration of the operation of the cookies and whether or not third parties may have access to those cookies formed part of the clear and comprehensive information which must be provided to the user in accordance with Article 5(3).
Although duration of the processing of data was not expressly included in the information requirements in Article 10 of the ‘95 Directive, the CJEU considered that information on the duration of the operation of cookies must be regarded as meeting the requirement of fair data processing provided for in Article 10 in that, in a situation such as that in this case, a long, or even unlimited, duration means collecting a large amount of information on users’ surfing behaviour and how often they may visit the websites of the organiser of the promotional lottery’s advertising partners. In the CJEU’s view, that interpretation was borne out by Article 13(2)(a) GDPR, which provides that the controller must, in order to ensure fair and transparent processing, provide the individual with information relating, amongst other things, to the period for which the personal data will be stored, or if that is not possible, to the criteria used to determine that period. As to information on whether third parties are given access to the cookies, that was included within the information referred to in Article 10(c) of Directive 95/46 and in Article 13(1)(e) GDPR since both provisions expressly referred to “the recipients or categories of recipients” of the data.
As anticipated, the CJEU has followed the opinion of Advocate General Szpunar on the question referred to it by the Bundesgerichtshof and confirmed that the threshold for cookie consent is the same as consent under the ‘95 Directive and now the GDPR, whether the information accessed by cookies is personal data or not, and that opt-out consent is not valid consent for cookies under the e-Privacy Directive. A question also arises, however, in relation to the first checkbox, which did not deal with cookies but only with the processing of personal data insofar as the user was not agreeing to cookies but to being contacted by a list of firms by post, telephone or email. That question is whether it is compatible with the requirement that consent be “freely given”, under the ‘95 Directive and the GDPR, for a user’s consent to the processing of his personal data for advertising purposes to be a prerequisite to that user’s participation in a promotional lottery. The Advocate General appeared to suggest that it might be, in circumstances where the underlying purpose in the participation in the lottery was the "selling" of personal data (i.e. agreeing to be contacted by so-called "sponsors" for promotional offers). Tantalisingly, in its judgment the CJEU acknowledges the issue. Disappointingly, because it was not a question referred by the Bundesgerichtshof, the CJEU decided it was not appropriate to deal with it. The upshot is we have an authoritative opinion but not a definitive ruling on a question that is crucial to the advertising-based digital economy.