The Court of Justice of the EU ("CJEU") has declared that pre-ticked checkboxes cannot be used to gain valid consent from individuals, with respect to the dropping and reading of cookies. This decision further emphasises the fact that consent, for the purposes of EU privacy and data protection law, requires a positive action by the individual. Silence or failure to opt-out do not constitute valid consent for these purposes.

The decision is the latest example of a trend in the EU towards tighter rules around cookies, including a recent regulatory decision that "cookie walls" (which block access to a website unless cookies are accepted) are invalid. It comes against the backdrop of the proposed e-Privacy Regulation, which is likely to introduce additional restrictions on the use of cookie data beyond those currently set out in Directive 2002/58/EC, as amended by Directive 2009/136/EC (together, the "e-Privacy Directive"), but which remains locked in negotiation in the EU's Council of Ministers.

Background

In 2013, Planet 49 organised an online promotional lottery. In order to participate, users were required to enter their contact details, and consent to: (i) receiving promotional advertisement from third parties; and (ii) the use of cookies for purposes including web analytics. Each consent purpose had its own checkbox. However, while the first checkbox required active consent, the second one was pre-ticked. If a user made no changes (or ignored the checkboxes altogether) the default outcome was that the second checkbox authorised Planet 49 to install cookies on the user's device. As a result, users would receive promotional advertisement based on their interests.

The German Federation of Consumer Organisations ("VZBV") challenged this use of cookies before the German courts, which referred the following questions to the CJEU:

1. (a) If the relevant cookie data are already on the user's device, then is a business entitled to rely on a pre-ticked checkbox, which the user must deselect to refuse his or her consent?

(b) Does it make any difference whether the cookie data are (or are not) "personal data"?

(c) If the relevant cookie data are already on the user's device, and the user is offered an opportunity to refuse consent by means of a pre-ticked checkbox, but does not do so, does that constitute valid consent for the purposes of the GDPR?

2. In accordance with Article 5(3) of the e-Privacy Directive, must users be provided with information about the duration of the operation of cookies, and whether cookie data will be shared with third parties?

The CJEU's decision

The CJEU held that:

1. (a) A pre-ticked checkbox, which the user must deselect to refuse his or her consent, is not a valid form of consent for the purposes of the e-Privacy Directive and Directive 95/46/EC. For consent to be valid for these purposes, the user needs to have "given his or her consent". Failure to un-tick a pre-ticked checkbox is not the same thing as "giving" consent. The CJEU also noted that the GDPR explicitly states that a "clear affirmative action" is required in order to indicate consent.

(b) The consent requirements set out in the e-Privacy Directive are not affected by the question of whether or not the cookies in question constitute personal data. Consent is required for all cookies, irrespective of whether personal data are involved or not. However, given that the CJEU has previously held that information as abstract as dynamic IP addresses will ordinarily be personal data, it seems likely that cookies used for marketing purposes would be classed as personal data in the majority of cases.

(c) The question of whether the relevant cookie data are already on the user's device makes no difference to the foregoing analysis. A pre-ticked checkbox that can be un-ticked by the user does not constitute a valid consent mechanism.

2. The information that the website operator must give to a user includes the duration of each cookie, and whether or not third parties receive cookie data.

Because the events in question took place in 2013 (i.e., before enforcement of the GDPR commenced) much of the CJEU's reasoning pertains to Directive 95/46/EC (which was the GDPR's predecessor) even though that Directive is no longer in effect. Nevertheless, the questions referred by the German court specifically raised the issue of consent under the GDPR, and the CJEU addressed GDPR consent issues in several places. As a result, even though this case largely discusses a law that no longer applies (i.e., Directive 95/46/EC) it continues to be relevant going forward.

Impact on businesses

The impact of this case on businesses is clear:

  • For the purposes of EU data protection law, all consent needs to be "opt-in". Failure to opt-out is not valid consent for these purposes. Businesses should therefore ensure that their consent mechanisms operate on an opt-in basis.
  • In respect of the setting or reading of cookie data, the question of whether those data are personal data or not makes no difference to the consent requirements. It also makes no difference whether the data are already on the user's device or not.
  • Cookie notices need to provide clear information on: (i) the duration of each cookie; and (ii) the third parties who receive, or have access to, such cookie data. For some businesses, this may necessitate changes to their existing cookie notices.