In a recent decision dated 1st October 2019 of the Court of Justice of the European Union (CJEU), the Court addressed the issue of Cookie Consent and the Bundling of Consent.
A German company (Planet49) organised a promotional lottery on a website. The conditions to enter the lottery were to provide some personal data and to tick at least one of two checkboxes.
The first checkbox - without a pre-selected tick – related to marketing emails and had to be ticked in order to participate in the lottery; and
x The second checkbox – with a pre-selected tick – was for obtaining consent to cookies, which users could opt out of at any time.
The Court considered 2 main questions in particular:
1. Does it constitute a valid consent if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent?
Does it make a difference whether the information stored or accessed constitutes personal data?
The Court ruled that:
- the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information , about the purposes of the processing; and
- consent given in the form of a pre-selected tick in a checkbox does not imply active behaviour on the part of a website user. It is not sufficient if the user must object (by un-ticking the checkbox) to the use of cookies.
As a result, the consent is not validly expressed if, in the form of cookies, the storage of information or access to information already stored in a website user’s terminal equipment is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent.
The Court noted that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies. Consent should be separate rather than bundled as the provision of personal data was necessary for participation in the lottery.
The principle of consent applies irrespective of the nature of the data stored, whether personal or not. Consent requirements therefore also apply to the processing and storage of information that is not personal data
2. How is the provision by the service provider of “clear and comprehensive information” to the user to be defined ? Does this include:-the duration of the operation of the cookies; and-whether third parties are given access to the cookies?
In both cases, the answer is: “Yes.”
The “clear and comprehensive information” that service providers are obliged to give to users must include the duration of the operation of cookies and whether or not third parties may have access to those cookies.
To sum up:
Accepting cookies means giving "active consent” which seems not to be in line with the mechanism of consents that are obtained by a user’s decision to continue accessing or using a website. It is therefore necessary to audit how your company obtains cookie consent to ensure a valid use of cookies.
In this context, the future ePrivacy Regulation that is intended to complement the GDPR in strengthening the privacy and security in electronic communications should impose more duties than might have been expected.