On October 1st, in the much anticipated Planet49 case, the Court of Justice of the European Union (ECJ) affirmed an earlier opinion set forth by the Advocate-General that utilizing pre-ticked boxes to obtain consent for website cookies does not represent valid consent because it does not show affirmative, unambiguous action on the part of the data subject. The Court decided this with reference to the GDPR, the ePrivacy Directive and the GDPR’s predecessor, the Data Protection Directive, which was in force at the time of the matter at issue.
The case, referred to the ECJ by the highest court in Germany, involved an online gaming company that offered website visitors the opportunity–after providing basic contact information–to enter an online lottery. To do so, visitors were shown two checkboxes: (1) an unticked box requesting the individual to agree to receive third party marketing messages, and (2) a pre-ticked box requesting the user to consent to the placement on their browser of advertising cookies. To enter the lottery, the third party marketing checkbox had to be affirmatively ticked, whereas the advertising cookie checkbox did not have to be ticked–but had to be manually un-selected by the visitor in order to refuse her consent to such cookies.
The Court analyzed Article 5(3) of the EU’s ePrivacy Directive, which requires that users have a GDPR-level of data subject consent prior to the storage and accessing of cookies on web browsers and other devices–which is separate from the requirement to then have a lawful basis for processing any personal data derived from those cookies, as is required by Article 6 of the GDPR. The ECJ found that because ePrivacy requires that a user must have “given his or her consent” for the storage or collection of cookies, this weighs in favor of a literal interpretation such that “action is required on the part of the user in order to give his or her consent.”
Other takeaways from the case include the ECJ confirming that the ePrivacy Directive’s consent requirements with respect to the storing or accessing of “information” apply irrespective of whether the information involved amounts to “personal data” as defined by the GDPR, and the finding that for consent to be valid, website operators must transparently indicate the life span of each cookie and whether any third parties will have access to them.
Questions left unanswered by the decision include a formal opinion on the legality of so-called “cookie walls” that require consent to third party cookies as a pre-condition to general access to a website, and an opinion as to whether a data subject can be required to consent to the processing of personal data for advertising purposes in order to participate in the promotional lottery. The latter question, which the ECJ was not asked to rule on, could by extension have implications for online ad-funded content.
This case serves as a reminder that for consent to cookies to be valid in the EU, the data subject’s consent at issue must be active, rather than passive; unambiguous and not implied, as would be the case by requiring individuals to be aware enough to un-tick a pre-ticked box; and specific, rather than bundled with other terms. For a summary of the case, see here.
TrustArc’s best-in-class Cookie Consent Manager helps organizations of all industries and sizes satisfy their cookie compliance goals via its support for “zero-cookie” load experiences. Through the integration of your organization’s tag management system, or the use of our Consent Manager API, the placement of cookies or the firing of tags or trackers can be withheld until after a user affirmatively opts-in using the Consent Manager. For more information, reach out to your Technical Account Manager or contact TrustArc today.