Key points to note from the judgment include:
2. Where consent is required for cookies under the e-Privacy Directive, the GDPR standard of consent applies.
3. It does not matter whether the cookies constitute personal data or not - Article 5(3) of the e-Privacy Directive (i.e. the cookie consent rule) applies to any information installed or accessed from an individual's device.
4. Website users must be provided with information on the duration of the cookies, and whether third parties will have access to the cookies.
Planet49 ('Planet49') ran a promotional lottery on its website.
As part of entering the lottery users were presented with two tick-boxes. The first was an unchecked tick-box to receive third party advertising. In order to enter the competition, users needed to tick this box.
The second was a pre-ticked box allowing Planet49 to set cookies to track the user's behaviour online.
The German Federation of Consumer Organisations (the 'Federation') claimed that these two check-boxes did not satisfy German law requirements, and sought an injunction requiring Planet49 to cease using them. The case ultimately reached the German Federal Court of Justice (the 'Bundesgerichtshof') , which in turn referred the case to the CJEU for preliminary ruling.
1. Pre-ticked checkboxes invalid
The Court looked first to the e-Privacy Directive which expressly requires consent for the storage of, or access to, information stored in the user's terminal equipment. However, the e-Privacy Directive does not indicate the form that consent must take. The Court took a literal interpretation of the term 'given his or her consent,' finding that the user must give an 'indication' of their wishes. An action is required on behalf of the user: it must be active not passive.
Consent in the form of a pre-selected checkbox would not, according to the CJEU, imply active behaviour. It would 'appear impossible' to objectively ascertain whether a user has given informed consent by not deselecting a pre-ticked check-box; the user may not have seen the check-box or read it before continuing with their activity on the website visited.
Further, GDPR now expressly requires active consent and precludes 'silence, pre-ticked boxes or inactivity' from constituting consent. Against this backdrop, the Court could not have come to another conclusion.
2. Cookie data does not have to be personal
It was not disputed that the cookie data which Planet49 collected was personal information, as it linked a name and address with a registration number relating to the promotional lottery.
The CJEU confirmed what most practitioners already know - the consent rule for cookies in the e-Privacy Directive apply regardless of whether personal data is processed. On this point, the Court concurred with the Advocate General's Opinion that the purpose of the e-Privacy Directive is to protect interference with a users' 'private sphere'. This 'private sphere' includes any information stored on a users' device, whether personal or otherwise, so as 'to protect users from the risk that hidden identifiers' enter their device without their knowledge.
It follows, according to the CJEU, that GDPR standard consent is required for Article 5(3) of the e-Privacy Directive, regardless of whether the information stored or accessed is personal or not.
3. Transparency: duration and third party access
On the transparency front, website operators must inform users about, among other matters, the duration of the cookie lifespan and whether third parties will have access to these technologies.
Information on the duration of cookies was considered by the CJEU to be a requirement of fair processing. Retaining cookie information for a long or even unlimited duration would mean a large volume of user data would be collected about the user's browsing history. Accordingly, information on retention is needed so that a user can properly determine the consequences of consenting to having cookies placed on their device.
The Court also pointed to Article 13 GDPR which requires controllers to provide individuals with the retention period for the personal data, or if that is not possible, the criteria used to determine that period.
Similarly the Court found that website operators must also inform users of third parties that have access to cookies. The CJEU reached this conclusion by looking at the requirement in Article 13 GDPR to name recipients or categories of recipients of data: the CJEU concluded that consent will only be informed if information about actual recipients is provided.
The conclusion, however, conflates the requirements for consent with requirements for transparency about recipients of data. This is a point which could have significant implications for the ad-tech industry, where there is an open question as to whether sharing of cookie data (rather than the act of reading the cookie) should be based on consent or legitimate interests.
4. Incentivising Consent
Planet49 made entry into its promotional lottery conditional on the user consenting to the use of their personal data for advertising purposes.
However, the CJEU were not asked to opine on whether this conditionality was compatible with the GDPR requirement for consent to be 'freely given'.
While the European Data Protection Board state in their Consent Guidance that it is possible to incentivise consent to some extent, the onus remains on the controller to demonstrate that consent was nonetheless freely given. As those in the trenches will know, it is difficult in practice to know when the 'freely given' line is crossed, and the Court in Planet49 offers no guidance in this respect.
5. German Perspectives
The German Bundesgerichtshof will now pick up the ball and issue its decision. It will be interesting to see whether that court will - like its request for a preliminary ruling suggests - base its decision on the provisions of the German Telemedia Act (and interpret them in light of the ruling and Article 5(3) of the e-Privacy Directive). This point is of note because for a long time there has been a question mark around whether the German Telemedia Act does in fact implement the e-Privacy Directive. The German Federal Ministry of Economic Affairs and Energy has in any case already announced that it will shortly be revising the Telemedia Act to take account of the judgment.
German Data Protection Authorities will, however, generally welcome the CJEU's ruling since it is very much in line with their previous guidance.
Although the CJEU's findings are largely unsurprising, the case is a reminder, echoing other comments from regulators, that implied consent for non-essential cookies is dead.
Website operators should revisit their cookie notice and overlays to ensure GDPR standard consent is obtained and that their practices are aligned with the increasingly exacting requirements laid out in recent regulatory guidance (such as that from the UK's ICO and the French CNIL ).