Lorna Woods, Professor of Internet Law, University of Essex

A significant ruling by the Court of Justice of the European Union (CJEU) concerning the use of cookies and the interpretation of consent under the e-Privacy Directive was issued last week in the Planet49 case. This ruling holds implications for comprehending cookie requirements under both the existing and forthcoming data protection regulations.

Judgment

At the heart of the matter was an online lottery requiring participants to provide their name and address. Before participating, users were presented with two checkboxes related to data processing consent. The first sought consent for third-party promotional offers, while the second pertained to cookie placement for lottery participation. Planet49 utilized an unticked box for the promotional offers but a pre-ticked box for cookies. The court addressed two key questions: the validity of pre-ticked boxes for consent and the information required for clear user understanding.

The e-Privacy Directive mandates user consent for cookie usage, aligning its definition of consent with the Data Protection Directive and, subsequently, the General Data Protection Regulation (GDPR). Both the Advocate General and the Court emphasized the Data Protection Directive’s requirement for an active “indication” of consent, signifying an action beyond passive acceptance.

Examining the historical context of the cookie provision, the Court highlighted the 2009 amendment that previously granted users the right to refuse cookies. Consequently, the Court deemed pre-ticked boxes insufficient for valid consent, a stance reinforced by the GDPR’s stricter definition of consent. The GDPR explicitly states that consent cannot be inferred from “silence, pre-ticked boxes, or inactivity” but allows for actions such as ticking a box on a website.

The Court clarified that the referring court did not inquire about whether making consent a prerequisite for lottery participation satisfied the “freely given” aspect of consent, therefore the CJEU refrained from addressing this point.

Considering that the e-Privacy Directive extends beyond personal data, the referring court questioned the applicability of the consent definition to non-personal data. Despite acknowledging that the case involved personal data, the Court, echoing the Advocate General’s perspective, highlighted that the e-Privacy Directive’s Article 5(3) pertains broadly to “the storing of information” and “the gaining of access to information already stored,” without specifying the type of data.

Regarding the specific information users should receive, such as the duration of cookie use and third-party access, the Court referenced the general obligation to provide “clear and comprehensive information.” Although not explicitly listed in the Data Protection Directive or GDPR, the Court underscored the significance of duration, given the potential for extensive data collection over extended periods. They supported this by pointing to the GDPR’s requirement for controllers to specify data storage duration.

Comment

This ruling holds substantial implications for entities reliant on cookies for data collection, as it underscores the need for “active consent.” While this requirement is explicitly stated in the GDPR, it was less clear under the Data Protection Directive. Despite the Data Protection Directive’s repeal and the GDPR’s current enforcement, this ruling serves as a firm confirmation that the GDPR’s definition of consent applies to the e-Privacy Directive.

Interpreting consent through both the GDPR and Data Protection Directive lenses, this ruling marks the first regarding consent under the GDPR. It can be viewed as part of a broader movement against “surveillance capitalism” techniques, evident in ongoing investigations across Member States and recent guidance from the Information Commissioner’s Office (ICO) on cookie usage.

Importantly, the e-Privacy Directive’s scope extends beyond personal data to encompass the “private sphere of individuals” and their “terminal equipment,” implying that national rules should remain stringent even when personal data is not involved. The Court emphasizes that e-Privacy Directive protections encompass not just cookies but also “hidden identifiers and other similar devices,” suggesting the need for active consent for these technologies as well. Notably, while this ruling pertains to the e-Privacy Directive, the position under the proposed ePrivacy Regulation, if enacted, remains to be seen.

Finally, the issue of “freely given” consent requires attention. The German court did not question whether mandating consent for service access was permissible, and the Court did not address this aspect independently. It is anticipated that this point will resurface before the Court in the future.

Photo credit: pcmag