Planet49 CJEU ruling on cookie consent: “to tick or not to tick”, that is the question

After a long wait, the CJEU’s highly anticipated ruling in the case involving the online gaming company Planet49 GmbH was issued on 1st October 2019. The case centred on the issue of pre-ticked checkboxes and whether or not they constituted valid consent in relation to cookie use¹. What information a service provider needed to provide in respect of their cookie use also came under consideration.

In this blog, we’ll look at the facts of the case, the key issues considered by the CJEU, their findings, what the ruling means for your organisation in relation to your use of cookies and the wider impact on consent mechanisms more generally.

So, what are the key facts?

On 24 September 2013, Planet49 GmbH, a German company, organised an online lottery. If users wanted to enter the lottery draw, they were required to provide their name, address and postcode. Below the input fields asking for their address, they were also presented with two statements accompanied by checkboxes which provided the following:

1. Checkbox 1 (unticked) - This required the user to agree to be contacted by several of Planet49’s sponsors and partners about their promotional offers by phone, post, email and/or SMS; and
2. Checkbox 2 (pre-ticked) - This required the user to agree to Planet49 being able to install cookies on their device using a web analytics service provider called Remintrex. This would enable Remintrex to analyse their surfing and usage behaviour on websites of Planet49’s advertising partners to use specifically for advertising purposes. A link to further information about Planet49’s use of cookies was also provided at the end of this statement and when clicked, the link also included information about Planet49’s partners and an ‘unsubscribe’ link beside each partner’s name.

Users were only able to participate in the lottery if at least Checkbox 1 was ticked. Whereas, users were able to opt out of the use of cookies by unticking Checkbox 2 and still participate in the lottery.

What were the key issues being considered by the CJEU?

The initial action in the Planet49 case was brought by a German consumer rights group (known as the Federation) on the basis that the consent obtained through the use of pre-ticked boxes did not meet German legal requirements.

The case was first considered by the German competent court of lower instance (Landgericht) which ruled that the mechanisms used to obtain the participant’s consent did not satisfy the requirements of German law. Planet49 then appealed to the German Higher Regional Court (Oberlandesgericht), that held that the Federation’s plea for an injunction was unfounded as the participants would realise that they could simply deselect the tick in the Checkbox. However, the German Federal Court of Justice (Bundesgerichtshof) had doubts about the validity of the consent and the information provided by Planet49, so it decided to stay the proceedings and referred the following questions to the CJEU for a preliminary ruling:

• Does it constitute valid consent if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his/her consent?
• Does it make a difference whether the information stored or accessed constitutes personal data?
• Does the information that a service provider has to provide to a user need to include information about the duration of the cookies used and whether any third parties are given access to the cookies?

What are the key takeaways from the CJEU’s ruling?

Fast forward to the CJEU’s ruling and the key takeaways are as follows:

• Pre-ticked boxes do not constitute valid consent - Unsurprisingly, the CJEU reiterated that for the consent to be valid it requires an unambiguous indication of the individual’s wishes by either a statement or a clear affirmative action. Therefore, the pre-ticked box used by Planet49 did not meet the standards required for valid consent (under both the General Data Protection Regulation and the ePrivacy Directive) as there was no active action taken by the participant.

• Consent cannot be bundled (or inferred) - Consent must be ‘specific’ for it to be valid. In this case, the fact that the user selected the button to participate in the lottery did not also mean they had given their consent to the processing of their personal data via cookies and/or to this data being shared with other third parties. The consent needs to be on a per purpose basis for it to be valid and not inferred.
• Consent requirements apply to personal data and non-personal data - Whilst it was acknowledged that in the main the use of cookies typically involves the processing of personal data, the aim of the legislation is to ‘protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data’. Therefore, it was held that the consent requirements are the same for any information stored on or accessed from terminal equipment regardless of whether it contains personal or non personal data.
• Clear and comprehensive information must be provided - The CJEU held that information must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies. This includes both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies. It is also important to ensure the identity of the third parties who have access is disclosed along with the purpose of their processing.

What does this mean for you?

Some practical steps you can take to start addressing the issues highlighted in the ruling include:

• Review your consent mechanisms to ensure you are not relying on pre-ticked boxes (or similar) to obtain consent;
• Review all consent mechanisms used to ensure that consents are separated on a per purpose basis and are not bundled together;
• Review your use of first and third party cookies to ensure you understand each cookie’s expiry date, what each cookie is being used for and whether it is still required - if you no longer require the cookie, then consider removing from your sites/applications etc; and
• Review your information notices to ensure they specify how long each cookie will be used for, whether any third parties have access to the cookies,who those third parties are and the purpose for which they will use the data.
• Do not forget to include the use of cookies in emails within the scope of your review.

With the introduction of the ePrivacy Regulation (potentially) on the horizon, the CJEU ruling emphasises the importance of taking action now to comply with the existing laws as well as starting to prepare for the implementation of the new Regulation. It also reaffirms the UK Information Commissioner’s Office’s blog issued in July 2019 along with its updated Cookie Guidance that “...you should start taking steps to comply now...undertake a cookie audit, document your decisions, and you will have nothing to fear”.

Keep an eye out for our next blog on this topic in which we will explore some important questions which remain unanswered by this CJEU ruling.

For further information on how PwC’s Data Protection Team can help you conduct a cookie audit and review and improve your cookie practices, please contact myself or Fedelma Good.

We also host monthly Data Protection Bootcamps, if you’re interested please sign up to attend.

Footnote

¹ Cookies is used throughout this blog as an umbrella term for cookies and similar technologies.