On October 1, 2019 the Court of Justice of the European Union (CJEU) ruled that pre-ticked boxes do not constitute a valid consent by web users prior to storing cookies on their devices (Verbraucherzentrale Bundesverband e.V. and Planet49 GmbH; Case C-673/17). The decision follows a challenge by the German Federation of the Consumer Organisations against the use of a pre-ticked checkbox which had, by default, consented to cookies on behalf of the user.
The case at hand arose from a lottery organised by Planet49 GmbH, on its website. In order to register as a participant, the website users were required to enter their names and addresses. Beneath the input fields for the address, were two sets of checkboxes.
The first checkbox was not pre-ticked, and asked for participants’ consent to being contacted by sponsors regarding their commercial offers. The second checkbox, which was already pre-ticked, asked for participants’ consent to have cookies placed on their devices for the purpose of providing targeted ads. Users were not informed about the fact that participation in the competition would have been possible without a check mark in this box.
The CJEU held that the consent required for the storage and retrieval of cookies on the user’s device, if applicable, is not given effectively by way of a preset checkbox, which the user may have to deselect. The Court decided that active consent is not evidenced by including pre-ticked boxes – silence, pre-ticked boxes or inactivity is precluded from constituting consent.
This decision of the Court is based on Article 5(3) of the ePrivacy Directive, which requires Member States to ensure that the storage of and access to cookies is only permitted if the user concerned has given his consent on the basis of clear and comprehensive information for the purposes of processing. The ePrivacy Directive defines consent as "any freely given, specific and informed expression of intention by which the data subject accepts that personal data relating to him or her will be processed".
Art. 6 para. 1 of the GDPR lays down strict requirements regarding the lawfulness of the processing of personal data and the concept of consent. According to Art. 4 para. 11 of the GDPR, effective consent requires a "voluntary, informed and unambiguous expression of intent in the form of a statement or other unambiguous confirmatory act". The 32nd recital of the GDPR states that “silence, ticked boxes or inactivity” do not constitute consent within the meaning of Art. 6 of the GDPR.
The CJEU held that consent must be unambiguous and only active behaviour on the part of the user to give his/her consent may fulfil that requirement. The Court further stated that in the case of consent obtained through a preset checkbox, active behaviour on the part of the user cannot be assumed, since it is possible in principle that the user may not have read the information attached to the preset checkbox or may not have taken any notice of it at all, as a result of which it cannot be established whether consent is actually based on knowledge of the facts.
Does it make any difference whether the information stored or retrieved in the user’s device is personal data?
The CJEU was of the opinion that users should be protected from any invasion of their privacy, regardless of personal data being involved or not. Visitors to a website should in particular be protected against the risk of so-called "hidden identifiers" or similar instruments penetrating their devices.
Art. 5 para 3 of the ePrivacy Directive concerns the “storage of information” and access to information that has already been stored, wherein this “information” has not been described in more detail. According to the CJEU, there is therefore no indication that the information concerned must mandatorily be personal data.
Does the duty to provide information as laid down in Article 5(3) of the ePrivacy Directive include information about the duration of the functioning of cookies and information about the access rights of the third parties?
Specifically, "the clear and comprehensive information must enable the user to easily determine the consequences of any consent given by him and ensure that the consent is given with full knowledge of the facts. The information shall be sufficiently clear and detailed to enable the user to understand the operation of the cookies used".
Art. 10 of the Directive 95/46, to which Art. 5 para. 3 of the ePrivacy Directive refers, and Art. 13 of the GDPR list the information which the user must obtain from the website operator responsible for processing the data. This information includes the identity of the controller, the intended purposes for the processing and other information such as the recipients or categories of recipients of the data.
Although the duration of the processing of the data is not amongst the information listed above, the CJEU is of the opinion that the phrase “at least the following information” in Art. 10 of Directive 95/46 indicates that the list of required information is not an exhaustive list. The CJEU stated that the information on the duration of the functioning of cookies is also covered by the duty to provide information in accordance with the principle of good faith. In order to ensure fair and transparent processing of the data, a website operator must also inform the user of the duration of the functioning of the cookies. If this is not possible, it must inform the user about the criteria for determining the duration of the data storage.
Information about the access rights of third parties to cookies constitutes ‘information’ within the meaning of Art. 10(c) of Directive 94/46 and within the meaning of Art. 13 para. 1(e) of the GDPR, since they expressly state that the data controller must inform the users of the recipients or categories of recipients of the data at the time that the data is collected.
In conclusion, the service provider must inform the users comprehensively about both, the functional life of cookies as well as about the access of third parties to the cookies.
With its ruling, the CJEU strengthened the position of users. It held that the users should be protected from any invasion of their privacy. The court made it clear that an internet user must actively agree to the installation of cookies, provided consent is required for the same. A pre-checked box does not satisfy the requirements of European data protection law.
The guidelines laid down by the CJEU essentially reflect the principles developed by the Conference of the Independent Data Protection Supervisory Authorities of the Federal Government and the Länder (DSK). Earlier this year, the DSK had declared in a legally non-binding orientation guide that the data protection provisions of national law were no longer applicable under the GDPR.
It is worth noting that in its judgement, the CJEU has predominantly interpreted the old ePrivacy Directive in the version 2009/136 (“Cookie Directive”), which does not make any statement about the lawfulness of data processing per se. The CJEU makes no comment about whether a declaration of consent is required for certain types of cookies, tracking and online marketing, as tended to be required by German data protection supervisory authorities. Further, the CJEU makes no mention about whether data processing is justified on the basis of a legitimate interest pursuant to Art. 6 para. 1(f) of the GDPR, as it is often advocated in literature. In practice however, one should now ask oneself whether - in addition to a possibly required declaration of consent for the installation of cookies – a declaration of consent for the tracking and marketing tools used should also be obtained at the same time.
Website operators should first determine whether or not cookies are required to be installed in browsers when their website is accessed. If they decide to install the cookies, then the second step would be to determine what type of cookies are used. Only those cookies that are vital for the use of the website in order to guarantee full functionality of the website and those cookies that can be justified under Art. 6 para.1(f) of the GDPR do not require user’s consent.
It still remains questionable whether or not a data protection supervisory authority can impose a fine, in the event a German website failed to obtain effective cookie consent. Neither the Cookie Directive nor the old TMG provide for the million euro fines as is done by the GDPR. The supervisory authorities have expressed the view that the TMG is no longer applicable. A higher fine is therefore only imminent if the data processing is carried out by way of a cookie that violates the GDPR. It should be emphasised that the CJEU has not made a statement regarding this important issue.