The European Court of Justice (‘ECJ’) has given its preliminary ruling following a request from the German Federal Court of Justice during a case between the Federation of Consumer Organisations (‘the Federation’) and Planet49 GMBH (‘Planet49’), an online gaming company.
The issue concerned the consent of participants in a promotional lottery being organized by Planet49, to:
- i) have their personal data transferred to the Planet49’s partners and sponsors;
- ii) the storage of their information and;
- iii) the access of information stored on the users’ terminal equipment (be it laptop, desktop, mobile device etc.).
The facts of the case were as follows. In order to participate in the lottery, users were faced with a set of two checkboxes. The first one, without a preselected tick, was for the users to provide consent to receive promotional material from around 60 different companies. The second checkbox, which had a preselected tick, was for the users to agree to web analytics that would enable cookies on the user’s device, allowing Planet49 to evaluate surfing and the user’s behaviour habits on Planet49’s website and the websites of its advertising partners. The text of the second checkbox also contained a hyperlink with additional information, including a notice that the user could revoke their consent at any time by sending such revocation to Planet49 in writing or via email.
The Federation brought an action, in the Regional Court, Frankfurt am Main of Germany, against Planet49 asking it to stop using the declarations of consent in its checkboxes, as it alleged that they did not satisfy the applicable legal requirements relevant to obtaining valid consent. This first German Court held that the pre-ticked checkbox was permissible, since it argued that the text was written clearly and users would realise that they could deselect the tick in the checkbox.
The Federation then appealed such decision, bringing the case before the German Federal Court of Justice, contesting the validity of consent obtained through such pre-ticked checkboxes. This second German Court then referred the matter to the ECJ. The ECJ took cognizance of the E-Privacy Directive (Directive 2002/58/EC) as well as the General Data Protection Regulation (‘GDPR’) and the requirements of obtaining valid consent as stated therein. The ECJ reached the conclusion that consent must necessarily be acquired before non-essential cookies are stored on a user’s device. In essence, the ECJ held that consent can never be tacitly given or implied, which is what a pre-ticked checkbox essentially does.
In truth, such rule existed long before the GDPR was introduced in the last few years. However, the GDPR has made acquiring valid consent much more difficult and it is now clear that a pre-ticked checkbox cannot be considered to constitute valid consent. For consent to be considered valid, it must be freely given, specific, informed and unambiguous. The ECJ pointed out that a pre-ticked checkbox makes it impossible to determine whether such consent was in fact freely given or even informed since it is very possible that a user would not even notice the checkbox, let alone the tick, before carrying on with their activity on the website.
The ECJ went on to say that the user must be given clear and comprehensive informationon the duration of cookies on their device, that is, for how long the cookies will remain downloaded. In addition, users must also be informed whether third parties will have access to such cookies or not.
Additional Mamo TCV Commentary
In the context of cookies, a distinction should however be made between essential and non-essential cookies. The former are cookies which are necessary for a website to actually function, and in this case no consent is generally required (though users should still be given the option to disable them if they so wish, at their own risk of the website not functioning properly for them). On the other hand, non-essential cookies are those which are not required for a website to function. These non-essential cookies notably include analytics cookies and marketing cookies which track user behaviour and clicking patterns to better customize personalized advertisements which would then target that specific user. The placement of non-essential cookies requires the consent of the user.
While this matter has been referred back to the national German Court, and has yet to be finalized, it can be expected that fines will be meted out if any breaches of applicable law are ultimately found. While this ECJ ruling already enforces the current legislation, the EU stance on cookies as a whole will be further reinforced with the advent of the upcoming e-Privacy Regulation.
Although progress on the proposed e-Privacy Regulation has been very slow and its coming into force is likely still a long way off, its eventual arrival will be to cookies what GDPR was to data protection more generally. Thus, it can be expected that the e-Privacy Regulation will harmonise EU law on cookies (and other matters such as direct marketing rules), including the fines for breaching such specific laws, while also increasing enforcement on cookie compliance.
Therefore, it is advisable to become cookie-compliant sooner rather than later.