In short

On 1 October 2019, the Court of Justice of the European Union (the chief judicial authority of the European Union) ruled that websites must allow users to actively choose to allow cookies. Dentons Australia privacy lead, Robyn Chatwood, analyses the case and its impact for Australian businesses.

Background to the case

By way of background, the Court of Justice of the European Union (the CJEU or Court) is the chief judicial authority of the European Union which oversees the application and interpretation of European Union law.

  1. The CJEU's case, C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände -- Verbraucherzentrale Bundesverband e. V. (1 October 2019)1 (the Planet49 case) involved a request for a preliminary ruling under Article 267 of the Treaty on the Functioning of the European Union (TFEU) from the Federal Court of Justice in Germany in relation an earlier decision of the Federal Court.
  2. The history of the Planet49 case started on 24 September 2013 when Planet49 GmbH (an online gaming company) conducted a promotional lottery on the website www.dein-macbook.de. Users wanting to enter into the lottery were required to enter their postcodes. This in turn redirected them to a web page where had to enter their names and addresses. Beneath those input fields were two paragraphs of explanatory text accompanied by checkboxes.
    1. The first with a checkbox (not preselected with a tick) read: I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sectors. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here.
    2. The second with a checkbox (which did have a preselected tick) read: I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, [Planet49], sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on my interests. I can delete the cookies at any time. You can read more about this here.
  3. Users could only enter the lottery the first checkbox was ticked.
  4. The hyperlink associated with the words 'sponsors and cooperation partners' and 'here' next to the first checkbox opened a list of companies, their addresses, the commercial sector to be advertised and the method of communication used for their advertising. The underlined word 'Unsubscribe' was contained after the name of each of the 57 companies listed and a statement appeared before the list which said:
  5. By clicking on the "Unsubscribe" link, I am deciding that no advertising consent is permitted to be granted to the partner/sponsor in question. If I have not unsubscribed from any or a sufficient number of partners/sponsors, Planet49 will choose partners/sponsors for me at its discretion (maximum number: 30 partners/sponsors).

  6. When the hyperlink associated with the word 'here' next to the second checkbox was clicked on, the following information was displayed:

    The cookies named ceng_cache, ceng_etag, ceng_png and gcr are small files which are stored in an assigned manner on your hard disk by the browser you use and by means of which certain information is supplied which enables more user-friendly and effective advertising. The cookies contain a specific randomly generated number (ID), which is at the same time assigned to your registration data. If you then visit the website of an advertising partner which is registered for Remintrex (to find out whether a registration exists, please consult the advertising partner's data protection declaration), Remintrex automatically records, by virtue of an iFrame which is integrated there, that you (or the user with the stored ID) have visited the site, which product you have shown interest in and whether a transaction was entered into.

    Subsequently, [Planet49] can arrange, on the basis of the advertising consent given during registration for the lottery, for advertising emails to be sent to you which take account of your interests demonstrated on the advertising partner's website. After revoking the advertising consent, you will of course not receive any more email advertising.

    The information communicated by these cookies is used exclusively for the purposes of advertising in which products of the advertising partner are presented. The information is collected, stored and used separately for each advertising partner. User profiles involving multiple advertising partners will not be created under any circumstances. The individual advertising partners do not receive any personal data.

    If you have no further interest in using the cookies, you can delete them via your browser at any time. You can find a guide in your browser's ["help"] function.

    No programs can be run or viruses transmitted by means of the cookies.

    You of course have the option to revoke this consent at any time. You can send the revocation in writing to [Planet49] [address]. However, an email to our customer services department [email address] will also suffice.

  7. The German Federal Union of Consumer Organisations and Associations (Federation)2 took action against Planet49 alleging the consent was not valid for participants in the promotional lottery and did not cover the transfer of their personal data to Plante49's sponsors and partners and cover storage of the data. The Federation claimed that the declarations of consent requested by Planet49 through the first and second checkboxes did not satisfy the requirements for consent under privacy law and so it brought an action before the Regional Court in Frankfurt am Main in Germany3 seeking an injunction requiring Planet49 to cease using such declarations and to pay it EUR 214 plus interest from 15 March 2014.
  8. The Regional Court upheld the action in part. Planet49 appealed to the Higher Regional Court in Frankfurt am Main in Germany4 where that court rejected the Federation's request for an injunction on the basis that the user would realise that they could deselect the tick in that checkbox and as the court thought that the text was set out with sufficient clarity and provided enough information about the use of the cookies. The court thought it was not necessary to disclose the identity of third parties able to access the information collected by Planet49.
  9. The Federation appealed to the Federal Court of Justice in Germany5 and the appeal turned on the interpretation of the various privacy laws relating to consent from internet users to cookies. That court then sought a preliminary ruling from the CJEU.

Questions to be ruled on by the CJEU

  1. Two questions were before the CJEU.
    1. The first was whether it constitutes valid consent within the meaning of the relevant privacy laws6 if storage of information, or access to information already stored in the user's computer is permitted by way of pre-checked checkboxes which the user must deselect to refuse consent.
    2. The second question asked was what information would a service provider need to give to users and whether this needs to include the duration of the operation of the cookies or whether third parties are given access to the cookies.

Relevant privacy law

  1. By way of background, the relevant privacy laws for the Planet49 case included the following:
    1. The European Union's Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (PII (US)) and on the free movement of such data) was a European Union directive adopted in 1995 which regulates the processing of personal data within the European Union (EU). It provides that Member States must protect the fundamental rights and freedoms of people and their right to privacy with respect to the processing of personal data.7 It also requires that any data subject's consent must be "freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed" and that personal data may be processed only if the data subject has unambiguously given his consent.8
    2. The Directive 2002/58 for the EU's Privacy and Electronic Communications law (otherwise known as ePrivacy Directive. It provides that "Consent may be given by any appropriate method enabling a freely given specific and informed indication of the user's wishes, including by ticking a box when visiting an internet website".9
    3. The General Data Protection Regulation 2016/679 (GDPR) which is the primary regulation in the EU regulating data protection and privacy for all citizens of the European Union and the European Economic Area. The GDPR Recitals 10 state that "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided." [Emphasis added]

What did the Court decide would be valid consent for use of cookies?

  1. The CJEU ruled as follows:

    Consent must be unambiguous and derived from the user's active conduct: Consent must be given unambiguously. Only active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement.

    Pre-selected tick boxes not good enough: The Court held that a company cannot be sure that a user would have read the information accompanying the preselected checkbox or even notice that checkbox, before continuing with his or her activity on the website visited was selected, by not deselecting a pre-ticked checkbox is insufficient to evidence consent.

    The Court decided that active consent is not evidenced by including pre-ticked boxes - silence, pre-ticked boxes or inactivity is precluded from constituting consent.

    Clear and comprehensive information about cookies must be given including their purpose and duration and who else can access the cookie data: The Court determined that the information that the website must give to its users about the cookies being used must include the duration of the operation of cookies and whether or not third parties have access to the cookies. The Court noted that the information must be:

    1. clear and comprehensive information;
    2. include the purpose of the processing so a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed;
    3. clearly comprehensible; and
    4. sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.


    To that end, the Court found that the duration of the operation of the cookies and whether or not third parties may have access to those cookies will form part of the clear and comprehensive information to be provided.

What about cookie walls?

  1. Unfortunately, there was no further guidance given by the Court on the topic of whether forcing users to accept cookies as a condition to their use of a website (that is, having a cookie wall) would satisfy the requirements of the European Union privacy laws which require freely given consent. Some national data protection authorities, such as those in Germany, the Netherlands and France, do not consider user acceptance because of a cookie wall would be valid consent.

Impact on Australian websites who target the European Economic Area

  1. The European Union requirements would be in excess of what would be needed to meet Australian laws with respect to cookies.
  2. Nevertheless any Australian businesses who operate websites which target users in the European Union would need to consider if they are caught by the relevant privacy laws – in particular, the GDPR which has wide extra territorial application and can apply to some Australian businesses.
  3. In our view, it is prudent for those Australian businesses to review their use of cookies and how they obtain consent to them from their website users. Specific consideration should be given to whether users actively choose to allow cookies and how to evidence their consent to specific cookie activity.

Footnote

1 http://curia.europa.eu

2 Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV

3 Landgericht Frankfurt am Main

4 Oberlandesgericht Frankfurt am Main

5 The Bundesgerichtshof

6 Article 5(3) and Article 2(f) of Directive [2002/58] read in conjunction with Article 2(h) of Directive [95/46]. The Court also was asked to rule on the related questions on whether, for the purposes of the application of Article 5(3) and of Article 2(f) of Directive [2002/58] read in conjunction with Article 2(h) of Directive [95/46], it makes a difference whether the information stored or accessed constitutes personal data and whether a valid consent within the meaning of Article 6(1)(a) of Regulation [2016/679] exists.

7 "Personal data" is defined under the Data Protection Directive to mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

8 Article 7 of the Data Protection Directive

9 Article 17 of the ePrivacy Directive

10 Recital 32 of the GDPR.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.