The European Court of Justice (the “ECJ”) was asked to consider the concept of valid consent in respect of cookies stored on the equipment of website users (the “Users”) in the case of Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v. Planet49 GmbH. It is important for website operators to ensure that consent is validly given by users before collecting and using the personal data of individuals where the General Data Protection Regulation 2016/679 (the “GDPR”) applies.
The Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV (Federal Union of Consumer Organisations and Associations – Federation of Consumer Organisations, Germany) (the “Federation”) challenged Planet49 GmbH’s (“Planet49”) (an online gaming company) use of a pre-checked tick box when seeking consent for cookie storage from website users.
Planet49 organised an online promotional lottery. The Users wishing to partake in this lottery were required to enter their postcodes, following which they were redirected to a page on which they were asked to provide their names and addresses. There were two paragraphs under the input fields on this page stating that the individual consents to:
(i) certain sponsors and cooperation partners emailing the Users; and
(ii) cookies evaluating the User’s browsing patterns being placed on their own device.
These paragraphs were each accompanied by a tick box signifying the User’s consent, the first one being pre-checked. If a User was to de-select the box, they would not have been eligible to enter the lottery.
The Federation brought action in the German courts against Planet49 asserting that these declarations of consent did not satisfy the requirements in German law. On appeal, the Federal Court of Justice in Germany decided to stay the proceedings and referred four questions to the ECJ. The preliminary ruling concerned the interpretation of various European statute including the Privacy and Electronic Communications Directive 2002/58/EC (the “Electronic Communications Directive”) as amended, and the Data Protection Directive 95/46/EC (the “Data Protection Directive”). Notwithstanding that the GDPR was not in force when the proceedings were initiated, the ECJ decided that, given its relevance going forward to the question of consent, it should be considered alongside the now repealed Data Protection Directive.
The four questions that the Court were asked to consider are:
- Does this constitute valid consent within the meaning of the Electronic Communications Directive and the Data Protection Directive if the storage of information or access to information stored in the User’s equipment is permitted by way of pre-checked checkbox?
- Does it make a difference if this data is personal data?
- Does a valid consent within Article 6(1)(a) of the GDPR exist?
- What information does the service provider have to give to the Users to constitute clear and comprehensive information? Does this include the duration of the operation of the cookies and whether third parties can access the cookies?
When considering the first and third questions, the Court read the Electronic Communications Directive in conjunction with the Data Protection Directive and the GDPR. It was held that, to store information, or to access information already stored in a User’s equipment, that User must have given their consent after being provided with clear and comprehensive information about the purposes of the processing. The Court decided that the wording ‘given consent’, when read literally, implies that action is required on the part of the User to give consent. For this purpose, a pre-checked box would not suffice. The Court added that it is not inconceivable that Users would not have read the information accompanying the checkbox, or even have noticed the checkbox, before continuing to use the website in question. The Electronic Communications Directive was said to indicate that the User’s consent may not be presumed but must be achieved as a result of the active behaviour on the part of the User.
The Court then turned to the second question, evaluating whether their analysis would have been different if the information stored was personal data and was to be interpreted in accordance with the GDPR. The Court asserted that, whilst the storage of cookies constitutes processing of personal data, the legislation is in place to protect internet users in accordance with the European Convention for the Protection of Human Rights, irrespective of whether the interference involves personal data. Therefore, the Court held that their reasoning and ultimate decision would be the same if the information in question was personal data.
The final question was then considered by the Court. What constitutes clear and comprehensive information? The Advocate General opined that the information should put the User in a position where they can give well informed consent and where they are able to determine the consequences of the consent given. Article 13 of the GDPR sets out the information that must be provided where personal data is collected from a data subject. This includes, by way of example, the purposes of the processing for which the personal data is collected as well as the legal basis for processing. Whilst the Data Protection Directive did not explicitly state that the duration of the processing must be provided to a website user, the GDPR does provide that a controller must, to ensure fair and transparent processing, set out the period for which the data will be stored. The Court therefore held that, Planet49 should have set out the duration of the operation of the cookies to the User.
Whilst the approach taken by the Court is somewhat unusual, given the consideration of both old and new law, when looking at the decision from a GDPR perspective, it does not come to a particularly surprising conclusion. The decision and reasoning given serves as a helpful reminder that data subjects must be in a position where they can give informed consent once they have been provided with clear and comprehensive information as to the use of their data. Organisations must ensure that they do not rely on pre-checked ticked boxes as a form of consent and, more generally, should ensure that their data collection processes are rigorous and compliant with the GDPR given that the administrative fines imposed for non-compliance with the GDPR are sizeable.
Article co-authored by Cara Aquilina.