On October 1 2019, the Court of Justice of the European Union (CJEU) issued its decision in the Planet49 case. The decision confirms much-anticipated and relevant principles regarding the use of consent for the processing of personal data and the use of cookies. Notably, it confirms that pre-ticked boxes do not constitute a legally valid consent, in line with the General Data Protection Regulation (GDPR).
However, the decision does not provide answers to some of the key issues that publishers and other companies with an online presence struggle with. Questions surrounding so-called cookie walls[1], or whether consent may be obtained by the mere action of browsing on a website (for instance, accompanied with a notice or pop-up, such as “if you scroll down…” or “if you continue browsing on this website…”), are still outstanding.
After a short background description of this case in Section I, this post will analyze the main takeaways from the CJEU decision, including what it means for organizations in Section II, followed by an explanation of the remaining open questions in Section III.
I. The Case in a Nutshell
Planet49 GmbH, an online gaming company, offered an online lottery service. To use the service, users had to register and provide personal data. The registration form contained two checkboxes. The first one asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners. Ticking this box was mandatory for participation in the lottery. The second checkbox was pre-ticked and allowed users to opt out from the use of cookies (by unticking the box).
In the letter before action, the German consumer rights group that brought the action asserted that the requested declarations of consent did not satisfy the relevant German legal requirements. The German Federal Court of Justice referred various questions on the protection of electronic communications and privacy to the CJEU for a preliminary ruling. These questions included (a) whether a pre-ticked box constitutes valid consent under the ePrivacy Directive and the GDPR; (b) is it necessary to provide information about the duration of cookies and any third-party cookies; and (c) if it makes a difference “whether the information stored or accessed constitutes personal data.” [2]
II. The CJEU’s Response and the Main Takeaways
a) A pre-ticked box for cookies does not provide a legally valid consent under the GDPR and the ePrivacy Directive
The CJEU explains that active consent is expressly provided for in the GDPR. Indeed, the GDPR definition of consent (Article 4(11)) requires an unambiguous indication of the individual’s wishes, by either a statement or a clear affirmative action. Recital 32 of the GDPR states that “silence, pre-ticked boxes or inactivity should not therefore constitute consent.” The CJEU clarifies that “only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement”[3] (to be unambiguous). In light of the GDPR provisions (article and recitals), the CJEU decision was to be expected.
To put the decision into practice, companies will no longer be able to:
- Use pre-ticked boxes to legitimize the storage and/or the reading of cookies; or
- Place cookies by default or inaction, while only informing users about the presence of cookies and providing information about how to opt out of the cookies.
b) Consent cannot be bundled.
The CJEU reinforces that for consent to be valid under the GDPR, it must be “specific.” This means that consent “must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.”[4] Thus, the CJEU concludes that the fact that a user selects the participate button for the promotional lottery cannot be sufficient to conclude that the user validly gave his or her consent to the storage of cookies, or to the sharing of his or her data with commercial partners.
This clarification means, in practice, that organizations should check if their consent requests are separated on a per purpose basis. If a website requests a user to tick a box in order to download an app, one cannot also request the user to agree to additional activities or purposes at the same time, such as the processing of personal data or for direct marketing communications. Any such additional purposes will require a separate checkbox, which will need to be ticked by the user in order to constitute a valid consent.
c) Information to be provided to users (the transparency requirement).
The CJEU decision clarifies that information given to users must indicate the life span of each cookie and whether any third parties may have access to those cookies. The CJEU confirms that this is part of the clear and comprehensive information required under Article 5(3) of the ePrivacy Directive and Article13(2)(a) of the GDPR.
The CJEU confirms that the end goal of providing an online user with “clear and comprehensive information”[5] about the processing prior to obtaining consent for the use of cookies is to ensure that the online user is “able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.”[6]
While the CJEU decision confirms the need to inform users about whether third parties may have access to the cookie data, it does not specifically require such parties to be explicitly identified, which is in line with Article 13(1)(e) of the GDPR that expressly refers to the recipients or categories of recipients of the data.
For organizations, this means that they should review their information notices and assess whether changes are needed to incorporate the elements described above.
III. The Open Questions
The CJEU decision confirms certain core principles in relation to consent, as set out in the GDPR, such as the requirement for consent to involve an active action on the part of the user. The decision also clarifies certain elements that must be included when asking users to consent. At the same time, the decision leaves open a number of pressing questions that online businesses wish to be clarified.
a) Continue Browsing
The CJEU was not asked to address the question of whether seeking consent through the formulation “by continuing browsing this website” constitutes an unambiguous indication of an individual’s wish to consent. The CJEU decision regarding the pre-ticked box as a mechanism to obtain consent does not shed much light on whether continuing browsing may be considered valid consent.
This is in contrast to the European Data Protection Board (EDPB) opinion on consent[7], which states that “scrolling down or swiping through a website will not satisfy the requirement of a clear and affirmative action. This is because the alert that continuing to scroll will constitute consent may be difficult to distinguish and/or may be missed when a data subject is quickly scrolling through large amounts of text and such an action is not sufficiently unambiguous.”
Arguably, the logic behind consent is to be purpose-specific. Therefore, a requirement of separately provided consent for each purpose could not lead one to conclude that continuing browsing would constitute a valid consent, given that continuing to browse is itself an action with its own purpose. In other words, a user continues browsing to read an article or to see a picture, but not to consent to a cookie being placed.
b) Cookie Walls and Tracking Walls
The CJEU decision does not address whether users can be forced to provide their consent in order to participate in the lottery. It also does not answer the question on the legitimacy of cookie walls. The CJEU explains that the referring court did not ask questions about this issue, so the CJEU decision did not have to address this point. This contrasts with the Advocate General’s opinion, which states that “In such a situation it appears to me that the processing of this personal data is necessary for the participation in the lottery.” He ultimately considers it a decision for the CJEU.[8] The Advocate General explicitly reminds the CJEU that one of the purposes of the lottery is the provision of personal data, which is why the processing of personal data is necessary for participation.
c) The Specific Listing of Cookie Providers
It is not clear whether the requirement to indicate the life span of each cookie has any consequences on the granularity of the consent, including whether any explicit references to the cookie provider must be made.
In particular, it is not clear whether mechanisms (i.e., cookie pop-ups) that do not enable the user to accept or reject specific cookies in light of the specific circumstances, including factors such as the life span of a cookie, will now comply with the CJEU decision.
Regarding the listing of cookie providers, one could interpret the CJEU decision as implicitly stating that identifying each provider is necessary, as the decision recalls the information requirements related to Article 5(3) of the ePrivacy Directive, including the identity of the data controller.[9] However, the Court’s decision is not explicit on this aspect and more clarity is desirable.
IV. Conclusion
In summary, this case is useful, as it confirms some of the parameters for valid and specific consent. It also provides helpful information about cookies, which businesses can use to conduct a cookie audit in order to reassess their compliance with the rules. However, the decision does not address some of the key outstanding questions about consent and cookies, which may have been useful for the CJEU to address. This Planet49 decision is a step toward achieving legal clarity in this area, but important questions remain.
[1] “Cookie wall” refers to a situation where users’ access to a particular website is subjected to a prior user’s consent to cookies and similar technologies.
[2] Paragraph 37 of the CJEU decision, question 1(b).
[3] Paragraph 54 of the CJEU decision.
[4] Paragraph 58 of the CJEU decision.
[5] Article 5(3) of the ePrivacy Directive.
[6] Paragraph 74 of the CJEU decision.
[7] Article 29 Working Party, Guidelines on Consent under Regulation 2016/679, revised and adopted April 10, 2018, and endorsed subsequently by the EDPB.
[8] Paragraph 99 of the Advocate General Szpunar’s Opinion on March 21, 2019, Case C‑673/17.
[9] Paragraph 77 of the CJEU decision.