CJEU judgment provides clarity on cookie consent

Recently, the Court of Justice of the European Union (CJEU), in its judgment in the Planet49 case, analysed requirements for consent and transparency in relation to the use of cookies.

The CJEU’s judgment was as expected and highlights the fact that companies should be gathering active and valid consent for all cookies stored on website users’ equipment while ensuring they are providing users with clear and comprehensive information about cookies.

What happened?

Planet49, a German company, organised a promotional lottery on a website. To gather users’ consent, Planet49 required a user to provide his or her address and users were presented with two checkboxes and some text.

To participate in the lottery, users were required to tick the first checkbox which stated that the user was agreeing to receive third-party advertising.

The second checkbox was preselected with a tick and stated that users allowed Planet49 to set cookies to track and evaluate the users’ online behaviour for advertising purposes.

The German Federation of Consumer Organisations claimed that these approaches by Planet49 to gather consent from users to store and use cookies did not satisfy European requirements. After initially reaching the German Federal Court of Justice, the decision was referred to the CJEU who considered a number of questions regarding legal requirements for companies to store and use cookies on users’ equipment:

1. Would a pre-ticked box gather valid consent from a user?
2. Does gathering consent matter if the information stored or accessed through users’ equipment is not personal data?
3. Do companies need to tell users (a) the lifetime of a cookie; and (b) whether third-parties will have access to the cookies?

1. Consent gathered through the use of a pre-ticked box does not constitute valid consent

Taking a literal interpretation of the wording in the e-Privacy Directive which states that users must “give” consent, the CJEU confirmed that “give” requires a user to take an action on its part to provide consent.

The Court also considered the definition of consent contained in the predecessor to the GDPR, the Data Protection Directive, which:

• defines consent as being “any freely given specific and informed indication of his wishes”; and
• states that it must be given “unambiguously”.

The issues with a pre-ticked checkbox were that:

• the definition in the Data Protection Directive pointed to active, not passive, behaviour on the part of a user;
•  a pre-ticked checkbox does not clarify whether a user actually gives its consent as opposed to being unaware of the checkbox or forgetting to read it; and
• a preselected tick does not imply active behaviour on the part of a user.

Noting that the GDPR now requires active consent from users and states that “silence, pre-ticked boxes or inactivity” are not sufficient, the CJEU decided that consent gathered through the use of a pre-ticked box cannot be valid.

2. The information stored or accessed through users’ equipment does not have to be personal data

As the consent rule in the e-Privacy Directive refers to “information” without characterising that information as being stored or accessed as personal information, the Court considered that:

• the e-Privacy Directive aims to protect the user from external interference in its private domain;
• the intention is to protect users from hidden identifiers and other data from entering their equipment without their knowledge; and
• it is not relevant whether the interference and data involve personal data.

The CJEU decided that standard for consent applies to all information stored or accessed through users’ equipment, whether it is personal information or not.

3. Companies need to be transparent and tell users the lifetime of a cookie and whether third-parties will have access to it

The Court looked at the requirement for a user giving its consent under the e-Privacy Directive to have been provided with clear and comprehensive information about the purpose of any storage or access.

Read in conjunction with the Data Protection Directive and the GDPR, the CJEU decided that to satisfy the transparency requirements companies needed to inform users:

• about the lifetime of the cookie’s operation – in this case, a long duration meant collecting a large amount of information on users; and
• whether or not third parties may have access to those cookies.

What now for companies?

Although the CJEU’s judgment is not a surprise, it confirmed several key requirements for gathering cookie consent from users. This is particularly useful timing for companies seeking to update their approach to data protection and privacy as the judgment reflects recent ICO guidance on the use of cookies and similar technologies.

The legislative and regulatory requirements are clear - companies should be gathering active, valid consent for all cookies stored on website users’ equipment while ensuring they are providing users with clear and comprehensive information about cookies.