The CJEU clarifies that “consent” in data protection and privacy laws in relation to cookies compliance refers to consent through active behaviour.
This week, the Court of Justice of the European Union (CJEU) issued a ruling resolving the definition of the term consent in regards to cookies compliance. This came about as a result of a dispute between the Federation of Consumer Organisations, Germany) (‘the Federation’) and online gaming company, Planet49 GmbH.
Background of the Case
The case centered on Planet49’s organization of a promotional lottery on website www.dein-macbook.de in September 2013.
In order to participate in the online lottery, internet users were required to provide their names, addresses and postal codes. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first checkbox required users to provide their consent to being contacted by third party sponsors and cooperation partners. Meanwhile the second box focused on consent for the installation of cookies on the user’s device. This second checkbox contained a preselected tick. In addition, participation in the lottery was possible only if at least the first checkbox was ticked.
The court judgement document explains that the Federation had issued a letter to Planet49 asserting that the declarations of consent requested by Planet49 through the first and second checkboxes did not satisfy some of the requirements of the German Civil Code (BGB), the German Law against Unfair Competition and the German Telemedia Act (TMG). This letter was however unanswered.
Subsequently in March 2014 the Federation filed an injunction requiring Planet49 to cease using such declarations and to pay it EUR 214 plus interest from 15 March 2014. This action was upheld by the regional court.
Planet49 in turn filed an appeal before the higher regional court. The higher court held that the Federation’s injunction order was unfounded on the basis that; “first, the user would realise that he or she could deselect the tick in that checkbox and, second, the text was set out with sufficient clarity from a typographical point of view and provided information about the manner of the use of cookies without it being necessary to disclose the identity of third parties able to access the information collected.”
This ruling was subsequently appealed by Federation before the Federal Court of Justice, Germany. The Federation asserted that Planet49’s success before the higher court centered on the interpretation of some articles of the ePrivacy Directive and the former Directive on Data Protection.
According to the judgement document, “harbouring doubts as to the validity, in the light of those provisions, of the consent obtained by Planet49 from internet users of the website www.dein-macbook.de by means of the second checkbox and as to the extent of the information obligation provided for in Article 5(3) of Directive 2002/58, the Bundesgerichtshof (Federal Court of Justice) decided to stay the proceedings and refer to the Court of Justice for a preliminary ruling.”
Specifically, the following question was posed:
“Does it constitute a valid consent within the meaning of Article 5(3) and Article 2(f) of Directive [2002/58], read in conjunction with Article 2(h) of Directive [95/46], if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent?”
The CJEU ruling
Following an analysis of EU data protection laws and regulation—namely, ePrivacyDirective, former Directive on Data Protection and GDPR—the CJEU concluded that:
“ [The laws and regulations] must be interpreted as meaning that the consent referred to in those provisions is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.”
As such cookie compliance requires consent through active behavior.
What is a cookie?
Norton explains that a cookie, known formally as an HTTP cookie is a “a term for a packet of data that a computer receives, then sends back without changing or altering it.”
It further explains that the purpose of cookies is to help the website keep track of your visits and activity.
Considering that cookies store large amounts of data which could potentially identify an individual, they are considered personal data. Cookies are therefore subject to GDPR compliance.
What are the implications of the CJEU ruling?
Aphaia Partner Bostjan Makarovic believes that, although not unexpected, the CJEU ruling has important implications for online business: “Since the 2009 ePrivacy rules first required consent for cookies, there has been a lot of discussion whether this consent might be implied rather than expressly stated. For example, until recently, even the UK Information Commissioner was showing an openly lenient attitude regarding the matter. This is now clearly changing. Online businesses need to urgently rethink their current approaches to cookies.”