Introduction

On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a crucial decision impacting how consent is obtained on the internet.

The judgment relates to the Planet49 case,1 where the German Federal Court referred a number of questions to the CJEU about the validity of consent to cookies placed by a website operating an online lottery. The questions referred to the CJEU were

  • Does a pre-checked box allow for valid consent to be obtained for the placement of cookies?
  • Does it matter whether information stored or accessed using cookies constitutes personal data?
  • Must users be provided with information about the cookies' duration of operation and whether third parties are given access to them?

Despite the questions' apparent simplicity, the CJEU's decision had to take into account the interaction of various pieces of legislation. While the requirement for consent before cookies are placed originates from the ePrivacy Directive,2 the requirements for valid consent are now found in the General Data Protection Regulation (GDPR).3

To complicate matters, both the facts and the initial hearing in this case occurred before the GDPR came into effect. Because the applicable law at that point was the Data Protection Directive,4 the considerations given by the CJEU to the concept of consent were primarily based on the provisions of that legislation. Rather surprisingly, however, the CJEU's conclusion on what amounts to valid consent under the Data Protection Directive essentially matches the GDPR's definition of consent.

Valid consent for cookies

The CJEU's decision confirmed the key aspects for valid consent

  • Consent must be active, not passive.
  • Consent must be unambiguous. According to the CJEU "only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement."
  • The judgment also confirms that giving users the chance to opt out by unchecking a pre-checked box does not constitute valid consent since "consent given in the form of a preselected tick in a checkbox does not imply active behaviour on the part of the website user."
  • Consent must be specific. This means "it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject's wishes for other purposes."

Although some commonly used approaches to comply with this obligation (eg consenting simply by using a service or remaining on a webpage) are not specifically discussed, it's clear from the reasoning above that they would be insufficient.

It's disappointing that the judgment does not address the requirement under the GDPR that consent must be "freely given" – the most difficult and contentious requirement for valid consent in practice.

The judgment does, however, confirm that this standard of consent applies to the placement of cookies irrespective of whether the information stored or accessed on a website user's terminal equipment counts as "personal data" under the GDPR.

Providing information about cookies

The CJEU concluded that the information that must be provided to users about cookies needs to include the duration of their operation and whether or not third parties could have access to them.

This conclusion was reached on the basis that the purpose of providing this information is to put users in a position where they're able to give consent in a sufficiently informed manner – understanding the role of the cookies being used and the consequences of providing consent to them.

The decision stops short of saying that service providers must identify third parties by name, meaning that it will be sufficient to provide details of data recipients or categories of data recipients. This will, no doubt, be a great relief for those tasked with drafting "clear and comprehensive" cookie policies and transparency notices.

On cookie duration, the information that must be provided is the period for which the data will be stored, or if that's not possible, the criteria used to determine that period (in line with the GDPR's transparency obligations).

Comment

The CJEU's conclusions are, overall, unsurprising. They strongly reaffirm the standard long upheld by regulators, under both the Data Protection Directive and the GDPR.

In reaching its decision, the Court has ultimately removed any room for error about the appropriate standard for consent when placing cookies. This puts real pressure on website operators – and regulators – to ensure this standard is upheld from now on.

Footnotes

1 C-673/17

2 Directive 2002/58

3 2016/679

4 Directive 95/46

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.