On Tuesday, the Court of Justice of the European Union issued a highly anticipated ruling on the scope of consent requirements with respect to cookie compliance. While the key points of the decision did not come as a big surprise to the privacy community, it will likely require many website operators to re-evaluate and update their cookie consent practices.
Importantly, with today’s decision, the CJEU established that consent cannot validly be obtained through the use of pre-checked boxes. The ruling resolves several specific questions about how consent can be validly obtained under the current EU data protection regime, including both the ePrivacy Directive and the EU General Data Protection Regulation.
Background
The Federal Court of Justice in Germany, the Bundesgerichtshof, requested a preliminary ruling from the Court of Justice of the European Union regarding two questions on the meaning and application of Article 5(3) and Article 2(f) of Directive 2002/58/EC in conjunction with Article 2(h) of Directive 95/46/EC and Article 6(1)(a) of Regulation 2016/679.
The case involved participation in a lottery organized by Planet49 GmbH, an online gaming company. To enter the lottery, internet users were prompted to enter their postal codes, names and addresses, then presented with two checkboxes accompanied by explanatory texts. The first checkbox required the user to agree to be contacted by other firms for promotional offers. The second checkbox, which contained a pre-selected tick, required the user to consent to the installation of cookies on their device. In order to participate in the lottery, the first checkbox needed to be ticked.
The questions referred to the CJEU concerned consent, namely, whether valid consent had been obtained for storing information and for storing cookies on a user’s terminal equipped if it has been sought “by way of a pre-checked checkbox which the user must unselect to refuse his consent.” The CJEU was also asked to clarify whether information service providers need to give users information specifically about the duration of the operation of the cookies and whether third parties are given access to them.
Key points
Consent must be obtained through active behavior
Reading the consent provisions under Directive 95/46 and Regulation 2016/679 as requiring consent to be obtained through some active behavior on the part of the user, the CJEU decided that a pre-ticked box does not constitute valid consent by the data subject.
As the wording of Article 5(3) of Directive 2002/58/EC is that the user must have “given his or her consent” to the storage of and access to cookies on their terminal equipment, the court conceded that it “does not … indicate the way in which that consent must be given.” However, regarding the phrase “given his or her consent,” the court argued that it “lend[s] itself to a literal interpretation according to which action is required on the part of the user in order to give his or her consent.”
Article 2(h) of Directive 95/46 defines “data subject’s consent” as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Within this definition, the CJEU’s opinion and judgment focused on the term “indication,” which it argued, “clearly points to active, rather than passive, behaviour.” The court also noted that the consent is even more stringently defined under the GDPR and that the notion of “[a]ctive consent is thus now expressly laid down in Regulation 2016/679.”
Accordingly, if a user’s designation of consent is pre-formulated, the user is not giving active consent. As the advocate general stated, and as acknowledged in the CJEU’s judgment, “requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. … By contrast, requiring a user to tick a box makes such an assertation far more probable.” Indeed, Recital 32 of the GDPR lists “ticking a box when visiting an internet website” as an example of how valid consent can be obtained from a user.
Moreover, in his opinion, the advocate general also linked the notion of active consent to that of separate consent. While the court’s judgment did not include this, he argued that it “appears … doubtful” that bundling an expression of consent with the expression of another intention would be in conformity with the notion of consent under Directive 95/46.
Consent requirements also apply to the processing and storage of information that is not personal data
As the CJEU noted, Article 5(3) of Directive 2002/58 refers to the “storing of information, or the gaining of access to information already stored,” so any such information would have privacy implications regardless of whether or not it constituted personal data within the meaning of Article 4(1) of the GDPR. Recitals 24 and 25, as well as opinions of the Article 29 Working Party, corroborate this view that the information need not be personal data for Article 5(3) of Directive 2002/58 to apply.
Users must be provided information on cookie duration and access by third parties
Finally, regarding the question of what information the service provider must give to provide clear and comprehensive information to the user in accordance with Article 5(3) of Directive 2002/58, the court ruled that this includes the duration of the cookies and if third parties have access to them.
Unresolved issues
While it provided much-needed clarity on the more technical components of valid consent, it left open question as to whether the requirement for consent to be “freely given” (under Article 2(h) of Directive 95/46 and of Article 4(11) and Article 7(4) of Regulation 2016/679) is compatible with requiring a user to consent to the processing of their personal data for advertising purposes as a prerequisite for participation in a promotional lottery.
A judgment on this point would have brought much-needed clarity to the unresolved problem of so-called “cookie walls.” The choice to condition entrance to a website on the acceptance of cookies remains troublesome given the divergence of opinion among national data protection authorities on the issue. Although several DPAs (France, Germany, the Netherlands) have considered cookie walls not to be allowable under the GDPR, at least one — the U.K. Information Commissioner's Office — appears to be “sitting on the fence on this — at least for the moment.”
Consent is a critical topic that both lawmakers and privacy professionals continue to work toward better regulating, as well as implementing in practice. As pre-ticked boxes will likely fade into historical memory, more questions will undoubtedly arise about whether specific consent mechanisms are valid under the EU’s data protection regime. While the judgment demonstrates that consent must be obtained by “active” behavior, it will be interesting to see how website mechanisms change to meet this newly clarified standard.
Photo credit: Image provided by the Court of Justice of the European Union.