Planet 49 Case or the new rules concerning cookies consent
The aforementioned judgement is basically answering the long-lasting uncertainty concerning the following issues:
- Is obtaining consent through a pre-ticked box valid when placing cookies on website users’ devices?
- Must the notice given to the user when obtaining consent include the duration of the operation of the cookies being placed and whether or not third parties may have access to those cookies?
- Does it matter for the application of the ePrivacy rules whether the data accessed through the cookies being placed is personal or non-personal?
The core of the Court findings is that:
- pre-ticked boxes do not amount to valid consent,
- the expiration date of cookies and the existence of third-party sharing should be disclosed to users when obtaining consent,
- different purposes should not be bundled under the same consent request,
- in order for consent to be valid ‘an active behavior with a clear view’ (which should be read as ‘intention’) of consenting should be obtained (so claiming in notices that consent is obtained by having users continuing to use the website very likely does not meet this threshold) and,
- (quite consequential), these rules apply to cookies regardless of whether the data accessed is personal or not.
It seems that consent obtained for placing cookies with the help of pre-ticked boxes or through inaction or action without intent to give consent, even prior to the GDPR entering into force, has been unlawfully obtained.
In addition, to be even clearer, the Court finds that ‘it would appear impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data by not deselecting a pre-ticked checkbox nor, in any event, whether that consent had been informed consent. It is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited. ‘
Based on the above clarifications, the Court seems to clarify once and for all that informing users that by continuing their activity on a website signifies consent to placing cookies on their device is not sufficient to obtain valid consent under the ePrivacy Directive read in the light of both Directive 95/46 and the GDPR.
Another issue sent for a preliminary ruling by the German Court concerned specific categories of information that should be disclosed to users in the context of obtaining consent for placing cookies. Article 5(3) of the ePrivacy Directive requires that the user is provided with ‘clear and comprehensive information’ in accordance with Directive 95/46 (now replaced by the GDPR). The question was whether this notice must also include (a) the duration of the operation of cookies and (b) whether or not third parties may have access to those cookies.
The Court clarified that providing ‘clear and comprehensive’ information means “that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed”.
Moreover, the Court has added that “information on the duration of the operation of cookies must be regarded as meeting the requirement of fair data processing”. Doubling down on its fairness considerations, the Court goes even further and links fairness of the disclosure of the retention time to the fact that “a long, or even unlimited, duration means collecting a large amount of information on users’ surfing behavior and how often they may visit the websites of the organizer of the promotional lottery’s advertising partners”.
The Court has established that it is irrelevant if the data accessed by cookies is personal or anonymous this leading to a totally different approach that data operators should consider when managing their websites.
The aforementioned Court ruling is also applicable to the data processors established in Romania as well.