Data Protection Report - Norton Rose Fulbright

On 1 October 2019, the European Court of Justice (ECJ) delivered its judgement on Case C – 673/17 (the “Planet49” case), which relates to the consent and transparency requirements for the use of cookies and similar technologies. The ECJ largely followed the March 2019 Opinion of Advocate General Szpunar and the judgment is generally consistent with the recent regulatory guidance issued by the UK and French data protection authorities in this area.

The decision

Planet49 GmbH, a German company offering an online lottery service, used two checkboxes on its website at the login page for the online lottery. The first unticked checkbox forced users to consent to being contacted for marketing purposes by third-party companies before participating in the lottery. The second checkbox, which was pre-checked, sought consent for installing cookies on users’ browsers. The German federal consumer rights group (Bundesverband der Verbraucherzentralen) brought an action asserting that the requested declarations of consent did not satisfy the relevant requirements of the German data protection laws. In November 2017, the Federal Court of Justice referred the following questions to the ECJ, which found as follows:

  • Is a pre-checked checkbox, which the user must deselect to refuse his or her consent, valid consent for the purposes of Article 5(3) of the e-Privacy Directive (namely the “cookie consent” requirement) and have the consent requirements under the GDPR been met?

The ECJ held that a pre-checked box is not sufficient to obtain valid consent for placing cookies on users’ devices under Article 5(3) of the e-Privacy Directive, as it does not constitute an unambiguous indication of the data subject’s wishes.

The ECJ acknowledges that Article 5(3) of the e-Privacy Directive does not prescribe a specific way of obtaining consent to the storage of and access to cookies on users’ devices. However, it observes that the wording “given his or her consent” means that some action is required on the part of the user. It also notes that “consent” under the e-Privacy Directive previously had to be read as having the same meaning as consent under the Data Protection Directive (Directive 95/46/EC) and that the requirement for consent to be an “indication of the data subject’s wishes” under Directive 95/46/EC also points to “active, rather than passive, behaviour”. This, it concludes, is not the case where pre-checked boxes are used.

The court also points out that “only active behaviour on the part of the data subject with a view to giving his or her consent” fulfils the requirement under Directive 95/46/EC for consent to be “unambiguously” given. It would appear impossible to ascertain objectively whether a website user had actually granted his or her consent by merely continuing with his or her activity on the website visited (continuing browsing or scrolling) and, in doing so, failing to deselect a pre-checked box.

The ECJ considers that the GDPR has now closed off any debate on this issue, stating that the consent requirements under the GDPR are stricter, expressly requiring active consent and precluding “silence” and “pre-ticked boxes of inactivity” from constituting valid consent.

Separately on the question of consent needing to be “specific”, the ECJ notes that “consent must relate specifically to the processing of the data and cannot be inferred from an indication of the data subject’s wishes for other purposes”. Therefore, the fact that a user selects the participate button for the promotional lottery is not sufficient to conclude that the user validly gave his or her consent to the storage of cookies, or to the sharing of his or her data with commercial partners.

In a departure from the Opinion of Advocate General Szpunar, the ECJ did not rule on whether making participation in the lottery conditional upon the user giving his or her consent to advertising complied with the requirement for consent to be “freely given”, as this question was not referred to it. However, based on the AG’s opinion and recent guidance on the meaning of consent under the GDPR, we consider that it would often be difficult to meet the “freely given” requirement in this context.

  • Does it make a difference whether the information stored or accessed by the cookie or tracking technology constitutes personal data or not?

The ECJ points out that Article 5 (3) of the e-Privacy Directive merely refers to “information without characterising that information or specifying that it must be personal data”. Therefore, it is irrelevant if the data accessed by cookies constitutes personal data or not and the consent requirement in Article 5 (3) of the e-Privacy Directive applies regardless.

  • What information must the service provider give to users about the use of cookies and other tracking technology under Article 5(3) of the ePrivacy Directive and: (a) does this include information about the duration of the cookies; and (b) information about third parties being given access to the cookies?

The ECJ clarified that the information provided must enable the user to determine the consequences of any consent he or she gives and, in this case, be sufficiently detailed so as to enable the user to understand the functioning of the cookies employed. It considers that this requires information about the duration of the cookies and whether or not third parties may have access to those cookies to be provided, a position it considers is supported by the transparency requirements of the GDPR.

Position in Germany

In Germany, the position on cookies in national law remains unique. Section 15 (3) of the German Telemedia Act (Telemediengesetz) still allows cookies to be used in certain circumstances on an opt-out basis. The question remains how this will be interpreted in the light of the GDPR and the ECJ’s decision above, as the ECJ only answered the specific questions raised and did not give further guidance on the relationship between the GDPR and the German Telemedia Act. However, the ECJ decision is certainly consistent with recent guidance issued by the German data protection authorities, which provides that in most use cases online tracking requires the user’s prior consent in the form of an opt-in solution and that reliance on other grounds for processing, such as “legitimate interests” is not acceptable. This is especially so in cases where cookies allow a third party to track users across different sites. Therefore, the ECJ’s decision may be another step towards a more harmonised approach being taken across the whole of the European Union.

Our take:

The ECJ decision should come as no surprise to people following this area of data protection law, as it confirms the position on consent already set out in the GDPR and reflects recent regulators’ guidance across Europe. It also re-enforces the need for companies to revisit their cookies notices and consent mechanisms to ensure that they are compliant with the position taken.

It is unfortunate that the judgment does not provide any further clarity on the level of information required about the third parties who may access the cookie data or how to collect consent on behalf of these third parties. However, this is perhaps unsurprising given that the regulators have recognised this as a key challenge that they are still considering, and it should not stop companies from improving their cookie notices and consent mechanisms in the meantime.