Article: Pre-ticked boxes aren’t “consent” for cookie placement

• United Kingdom

• Privacy, data protection and cybersecurity

11-10-2019

CJEU Ruling on Cookies

On 1 October 2019, the Court of Justice of the European Union (CJEU) gave a preliminary ruling¹  on questions referred from the Bundesgerichtshof (Federal Court of Justice in Germany) that:

1. Consent is not validly given to the storage of information (or access to information already stored in a website user’s terminal equipment) by way of a pre-ticked checkbox which the user must deselect to refuse to give his or her consent.
2. Consent is required whether or not the information accessed is personal data.
3. Information about cookies that must be given upfront includes whether or not third parties will have access to those cookies and the duration of the operation of the cookies.

Why is this ruling significant?

Many websites use cookies or other similar technologies which are placed or access information on the user’s device in order to understand the usage of the website and behaviour of the users.

The judgment affirms that the e-Privacy Directive (which is implemented in each member state) requires active consent to the use of cookies and similar technologies and that this applies regardless of whether or not they will collect personal data. The judgment also makes clear that to ensure informed consent is obtained, detailed information must be given upfront before cookies are set.

It is likely that this clear ruling will be reflected in the upcoming new e-Privacy Regulation and amendment to the Telemediengesetz (the German law on telemedia).

Proceedings and Relevant Law

The German case to which the ruling relates concerned Planet49 GmbH (“Planet49”), an online gaming company, which used pre-ticked boxes for consent to direct marketing and cookies placement as part of the sign up for a promotional lottery it was running on its website.

The CJEU considered the relevant provisions of Directive 2002/58/EC (Directive concerning the processing of personal data and the protection of privacy in the electronic communication sector) (the e-Privacy Directive), as amended by Directive 2009/136/EC. The case predated the coming into force of the General Data Protection Regulation (the “GDPR”), the new European data protection law, but the case considered the GDPR (as well as the Data Protection Directive 95/46/EC which the GDPR replaced) given the timing of disposal of the case in question.

Background to Case

Planet49’s online lottery was set up so that website visitors entered their postcodes, which then directed them to a new page where they were required to enter their names and addresses. Beneath the input fields for the address were two boxes of explanatory text, the first (with an unticked checkbox) to agree to third party direct marketing by post, telephone and email/SMS²  and the second (with a preselected ticked checkbox) agreeing to the setting of web analytics cookies which monitor surfing and use of the internet and send direct marketing based on the user’s interests.

Decision

The CJEU’s ruling (which considered the second consent described above) makes absolutely clear that participation in the lottery did not constitute consent to the setting of cookies – that consent could not be inferred from the wishes of the user in a lottery (in this case), but must be specific. In addition, a pre-ticked checkbox which the user must deselect to refuse his or her consent cannot be consent, as a positive action, not passive behaviour, is required to indicate consent. It is impossible to presume consent if a website user does not deselect a pre-ticked checkbox. The CJEU noted that Recital 32 of the GDPR specifically states that: “Silence, pre-ticked boxes or inactivity should not…constitute consent”, and the introduction by the GDPR of the requirement for consent to be “unambiguous” reinforces that position.

The CJEU noted that personal data (being information which identifies the website user or makes the user identifiable) was processed by the cookies in question. However, it ruled that the requirement for consent applied whether or not personal data was processed. The e-Privacy Directive requires that consent be obtained to access information stored in the terminal equipment of users of electronic communications (both personal and non-personal data), as this is part of the “private sphere” of users which requires protection under the European Convention of Human Rights and Fundamental Freedoms, and users should be protected from having hidden identifiers and similar devices placed on their equipment.

Finally, the CJEU ruled that information which is “clearly comprehensible and sufficiently detailed” needed to be given to website users about the setting of cookies so that they are well informed, including understanding the consequences of giving their consent. Details of recipients or categories of recipients is explicitly required under the Data Protection Directive 95/46/EC and the GDPR, and so must be available for the consent to be sufficiently informed. Further, the list of required information under Directive 95/46/EC is not intended to be exhaustive. The CJEU states that details of the duration of processing forms part of the requirement for “fair data processing” in this case given that a long or unlimited duration would involve collecting a large amount of information on user’s online behaviour. In addition, the GDPR specifically requires such details (or at least the criteria used to determine the duration of storage).

What should website operators do?

This ruling doesn’t impact on the current position in relation to functional or strictly necessary cookies, for which no consent is required.

However, website operators must ensure that their websites do not seek to rely on “implied” consent to all other cookies (including cookies which are used for tracking/advertising purposes and those set by third parties) and that use of website/access to promotions etc does not automatically mean that cookies are accepted. The nature of the information collected or accessed is immaterial – consent must be obtained even where no personal data is being processed.

In addition, cookies notices should be reviewed for fairness - i.e. to ensure the information is easy to understand and sufficiently detailed so that users can appreciate the implications of agreeing to cookies. These notices may need to contain additional details to those set out expressly in the relevant law, depending on the type of cookies used and degree of access to information allowed by the cookies in question.

Many businesses find complying with the rules around cookies difficult, and not all commercially available tools are compliant. The first step is to know what cookies you are using and why. Once you’ve worked that out, don’t set any cookies which are not “strictly necessary” until you have a positive consent from the user. Particularly given the imminent coming into force of the new e-Privacy Regulation (with its higher bar to valid consent in line with GDPR), we recommend that website operators review their use of cookies, consent mechanisms and cookies policies for compliance with this ruling.

¹Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v Planet49 GmbH (C-673/17) (Link)

²As an aside, the user was required to agree to use of his/her data for advertising purposes in order to be able to enter the promotional lottery. The CJEU elected not to rule on whether this would be a “freely given” consent, as required by the GDPR, as the German court did not refer to this question.