The Court of Justice of the European Union has confirmed in the Planet49 case that a pre-ticked checkbox does not constitute valid consent for ePrivacy purposes
This case provides clarity for EU website operators in the following ways:
- Active user consent (as defined in the GDPR) is required for all non-essential website cookies, whether or not those cookies contain personal data.
- The information given to a user about cookies (i.e. the cookie notice) must include the duration of the operation of cookies and whether or not third parties may have access to those cookies.
What the court said
Under the ePrivacy Directive (2002/58/EC), as amended by Directive 2009/136/EC, a user must give his or her consent before non-essential cookies can be used to store information on that user's device.
The previous Data Protection Directive (95/46/EC) defined consent for the ePrivacy Directive as "any freely given specific and informed indication of his wishes". The current GDPR provides an enhanced definition of consent, requiring 'clear affirmative action' to signify consent. Before Tuesday, it was unclear whether the GDPR definition had replaced the ePrivacy Directive definition. As a result, many EU website operators were often unsure whether to adopt a passive or active consent mechanism to obtain consent for the use of non-essential cookies.
In the Planet49 case, a German website's users were asked to sign-up to a promotional lottery. As part of the sign-up process, a pre-ticked checkbox stated that users agreed to the use of cookies for advertising purposes. The Court of Justice, applying the Data Protection Directive definition of consent, stated that an 'indication' of wishes requires active behaviour to constitute consent. As it would be "impossible" to ascertain objectively whether consent had been provided by a user not deselecting a pre-ticked checkbox (a user could ignore the message entirely), a pre-ticked checkbox could not constitute consent.
Further, the Court of Justice stated that the concept of 'active consent' is now expressly laid down in the GDPR as a "freely given, specific, informed and unambiguous indication...by a statement or by a clear affirmative action", meaning that the GDPR definition of consent applies to ePrivacy Directive.
What's next
It is now for the German court to provide its judgment following the Court of Justice's decision, while the rest of the EU awaits the incoming ePrivacy Regulation in 2020, which will replace the existing ePrivacy Directive.
In particular, the latest draft of the ePrivacy Regulation suggests that it is likely that the requirement for cookie banners will be removed or reduced in two ways:
- By broadening the current 'strictly necessary' exemption to cookie consent under the ePrivacy Directive, cookies and similar technologies will be permitted:
- if necessary for transmission;
- with consent (GDPR standard);
- if necessary for the information society service requested; or
- if necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested.
Web audience measuring is often the major reason websites need to obtain consent for the use of cookies, especially if paid advertising services are not involved, so this will likely remove the requirement for a large number of cookie consent banners across the web.
- By transitioning consent management from a website operator level issue to a web browser issue. Article 9 of the latest draft permits consent to be handled by technical settings of software applications and Article 10 requires web browser software to provide options to manage cookies and inform users about those options.
The full judgment in the Planet49 case, Bundesverband der Verbraucherzentralen und Verbraucherverbände ̶ Verbraucherzentrale Bundesverband eV v Planet49 GmbH, is available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
