In October 2019 the European Court of Justice rejected pre-ticked boxes as a valid means of consent for cookies. Instead, under the EU E-privacy rules and GDPR, an individual must clearly affirm, by appropriate means, that they consent to cookies, such as ticking/checking an unticked/unchecked box.
What’s the case about?
In the case of Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV -v- Planet49 GmbH the salient facts were as follows:
- A German organization called Planet49 set up a promotional lottery. Before being able to participate in the lottery users were required to enter their postcodes which redirected them to a web page where they were required to enter their names and addresses;
- Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first body of text with a checkbox without a preselected tick (“the first checkbox”) read as follows: “I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sectors. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here”;
- The second set of text with a checkbox containing a preselected tick (“the second checkbox”) read as follows: “I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, [Planet49], sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here”;
- Participation in the lottery was possible only if at least the first checkbox was ticked;
- The hyperlink associated with the words “sponsors and cooperation partners” and “here” next to the first checkbox opened a list of 57 companies, their addresses, the commercial sector to be advertised and the method of communication used for the advertising (email, post or telephone). The underlined word “Unsubscribe” was contained after the name of each company. The following statement preceded the list: “By clicking on the ‘Unsubscribe’ link, I am deciding that no advertising consent is permitted to be granted to the partner/sponsor in question. If I have not unsubscribed from any or a sufficient number of partners/sponsors, Planet49 will choose partners/sponsors for me at its discretion (maximum number: 30 partners/sponsors)”;
- When the hyperlink associated with the word “here” next to the second checkbox was clicked on users were given information about the (four) cookies concerned. This included a short description of the functioning of the cookies and it was explained that the cookies would track users on the websites of Planet49’s advertising partners who registered for the web analytics service in question, but that no user profiles involving multiple advertising partners would be created (who, it was stated, did not receive any personal data either). It was also stated that consent could be withdrawn at any time;
- The Federation of German Consumer Organizations took Planet49 to court in Germany claiming that the declarations of consent requested by Planet49 through the first and second checkboxes did not satisfy relevant German (and EU) privacy law requirements. The case finally ended up being sent to the European Court of Justice for a preliminary reference where the questions of legal interpretation included in particular whether pre-checked boxes constitute valid cookie consent.
What did the court rule?
The court ruled that EU law must be interpreted as meaning that the consent is not validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.
The court’s judgment can be found here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=218462&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=4015339
What are the takeaways?
Cookies have very much come of age recently, as this judgement demonstrates. Data protection regulators are also paying more attention to cookies both in terms of issuing much more detailed guidance and also, more significantly, in terms of enforcement.
This ruling also suggests that use of a service or a webpage would also not constitute adequate cookie consent either.
In order to handle cookies privacy compliance risks, businesses should consider doing the following:
- Undertake a cookies audit (with your IT department);
- Check your existing cookies policy, especially from the perspective of transparency (types of cookies, cookie duration and third party cookie access, amongst other issues), and amend it as appropriate; and,
- Check your consent mechanisms (including the technology used) and revise them as necessary.
For the previous article that we wrote about cookies please see here https://www.corderycompliance.com/ico-cookies-guidance-faqs/.
For more of our reporting about data protection issues see here https://www.corderycompliance.com/category/data-protection-privacy/
For more information on GDPR see details of Cordery GDPR Navigator here www.bit.ly/gdprnav
Generally-speaking, data breaches are a major compliance pain point – Cordery’s Breach Navigator can help organisations respond to a breach and assess its consequences. There are more details here https://www.corderycompliance.com/solutions/breach-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785