If you have an online business, you are using cookies or a similar type of technology.
Primarily, cookies refer to the information created by the webpage and then stored about the user of that website’s browser.
This data is captured to relay back to the originating website, details of where a user visits online, his/her name, passwords, preferences, among other vital pieces of data.
With this in mind, the EU’s Court of Justice (CJEU) judgment on the Planet 49 case should not come as a surprise to you. This much-anticipated ruling focused on cookie consent and compliance under the General Data Protection Regulation (GDPR) 2016/679/EU and the Privacy and Electronic Communications Directive (ePrivacy Directive) 2002/58/EC.
Essentially, the CJEU was mandated to provide an interpretation of the EU law that governs the utilization of cookies after a referral from the German Federal Court of Justice. Therefore, this article outlines the key takeaways from this ruling that are applicable to online businesses.
Background to the Case
In 2013, Planet49 GmBH, a German gaming firm, set up a promotional lottery. To become part of the final draw, users were required to provide their name, address, and postcode. Under the input fields for their address, users were given two descriptive statements coupled with checkboxes.
- The first checkbox, which was unticked, required users to give consent to Planet49’s sponsors and partners for sending them promotional information via post, phone, e-mail, or SMS.
- On the other hand, the second checkbox, which was pre-checked, required users to consent to Planet49 using cookies on their gadget using a web analytics firm referred to as Remintrex to gather crucial personal data for internet-based advertising.
CJEU’S Judgement and Main Takeaways
- A pre-checked box for cookies does not offer legal consent under the GDPR and the ePrivacy Directive
According to the ruling, active consent is clearly outlined in the GDPR. Primarily, Article 4 (11) calls for an unmistakable indication of the individual’s wishes, by either a statement or vivid affirmative action.
Furthermore, Recital 32 of the GDPR provides that silence, pre-checked boxes, or inactivity should not be presumed as consent. In this context, the CJEU interpreted that only active conduct on the part of the data subject to provide his/her consent may meet this obligation.
Based on this determination, businesses cannot;
- Utilize pre-checked boxes to validate the storage and/or reading of cookies
- Data to be given to users
The CJEU’s decision makes it clear that information extended to users must show the life span of every cookie and whether any third parties may have access to the cookies in question. The court reiterated that this requirement is a component of the vivid and detailed information needed under Article 5(3) of the ePrivacy Directive and Article 13(2)(a) of the GDPR.
It is important to note that although the CJEU decision validates the requirement to inform consumers about third-party access to their cookie information, it does not explicitly require such parties to be identified explicitly. This aspect is consistent with Article 13(1)(e) of the GDPR.
- Businesses need to assess their data notices and review whether improvements are necessary to include the elements outlined by the CJEU’s ruling.
- Consent cannot be bundled
This judgment confirms that for consent to be valid under the GDPR, it has to be ‘specific.’ Essentially, consent ‘must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.’
This point implies that the mere act of a consumer clicking on the participate button for the promotional lottery is not enough to conclude that a user legitimately gave his/her consent to the storage of cookies or the dissemination of his/her information with relevant third-parties.
- You should examine whether your consent requests are separated on a per purpose basis. Essentially, you cannot request a user to check a box to download an app and require them to consent to additional activities or purposes such as the processing of personal information for direct marketing communications simultaneously. Other purposes require a dedicated checkbox that will require action from the consumer to constitute valid consent.
Issues not Clarified by Planet 49 Judgment
- Cookie and Tracking Walls
Although the ruling offers crucial clarifications for cookie consent obligations, the CJEU did not address the question of whether consent to the handling of personal information for advertising can be ‘freely given’ in instances where such permission is a prerequisite for that user’s participation in the lottery.
The Planet 49 ruling is a valuable reminder that you need to take cookie compliance seriously and evaluate current practices to ensure that you satisfy applicable requirements.
Furthermore, the decision further outlines the required threshold for cookie consent and reaffirms the complementary nature of the GDPR and the ePrivacy Directive.
Do not find yourself on the wrong side of both the GDPR and the ePrivacy Directive cookie consent requirements. Our free GDPR and ePrivacy Regulation e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR and the ePrivacy Directive.
Alternatively, Schedule a call with us today and get expert guidance on what you need to do to avoid unnecessary penalties for cookie consent violations under the GDPR and the ePrivacy Directive.