A pre-checked checkbox does not constitute consent which a website user must give for storage of and access to cookies on their equipment. Therefore companies need to change their current practice. This was the conclusion reached by the Court of Justice of the European Union in its judgment in Case C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v Planet49 GmbH, published on 1 October 2019.

The main question for the Court was whether internet users need to actively consent to the storage of cookies on their device for the purpose of sending targeted advertising.

Essentially, the question was whether sufficient consent for storage of cookies on the device could be considered obtained if the person does not give consent but does not object to the cookie storage setting being offered. That is – whether it is acceptable if an internet webpage contains a pre-checked box with which site visitors consent to the use of cookies for targeted advertising, and the visitor had to uncheck the box in order to decline use of cookies. This was the situation which initiated a dispute between the German Federation of Consumer Organizations and Planet49, which later led to a reference for a preliminary ruling from the Federal Court of Justice.

Conclusions of the Court

The first question referred for a preliminary ruling was whether the consent of website users given in the aforementioned form was sufficient. The answer is based on the provisions of Directives 2002/58/EC and 95/46/EC. These state that cookies may only be placed and used with the express consent of the internet user. If approval of cookies is pre-checked, it is objectively impossible to ascertain whether a visitor to the site has consented to the processing of their personal data without deliberately unchecking the box. It cannot be excluded that the user has not read or even noticed the additional information in the checkbox. The Court concluded that explicit consent can only be given by the subject by means of a proactive approach to expressing consent.

The second question concerns the information to be provided to website visitors. That is, whether it is necessary to include information about the duration of the cookies and third parties who have access to those cookies. Even though not all cookies process personal data, the Court found the General Data Protection Regulation (GDPR) must be applied to all such cases. It follows that the controller must be able to provide data subjects with information on how long the data will be stored, or what criteria will be taken into account to determine this period and include information on third parties who have access to those cookies.

Consequences for companies

These conclusions mean that companies that until now have used pre-checked checkboxes must change their current practice.

From the moment the decision came into force, companies must enable users to give their consent in a sufficiently informed manner. Users must understand the functioning of the cookies employed and the consequences of giving consent. An alternative must be the right to refuse.

The decision does not specify that service providers have to identify third parties by name. It will be sufficient to provide detailed information about recipients or categories of recipients of the data. Of course, information about the period for which the data will be stored or, if this is not possible, the criteria used to determine that period, must also be provided specifically.

It is important to note that the decision could apply not only to marketing cookies, but to all types of cookies. At the same time, the legal basis for the use of cookies may be not only consent – the court has not prohibited other options! No specific consent is necessary for technical storage or access for the sole purpose of carrying out transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

Nothing is over yet

The Planet49 decision has already started having an indirect effect. Two weeks after the ECJ decision – on 17 October 2019 – the Spanish Data Protection Authority fined the company Vueling 30,000 EUR for non-compliance by the cookie policy used on its website. This is one of the biggest fines for non-compliance with cookie consent requirements. Thus the recent attention from the supervisory authorities places the topic of cookie compliance among the priorities for companies.

So far, the ECJ has actively protected the rights of internet users, especially, their privacy, as can also be seen in this decision. However, more clarity can soon be expected. A new European Union regulation on protection of privacy in the electronic environment should be adopted in the near future (the so-called E-Privacy Regulation), replacing the previous Directive 2002/58/E, which was last updated in 2009.

As stated by the European Commission, the new regulation will include stricter and more detailed requirements for the processing of personal data, in order to remove a number of shortcomings that the current regulatory framework has failed to avert due to rapid technological developments. One of these is lack of awareness among data subjects about the use of cookies, which in some cases results in use of cookies even without the informed consent of the subjects.

Significant emphasis is placed on issues related to consent to data processing. The new regulation refers to the GDPR, which requires that the consent of the data subject has to be obvious, demonstrable and unambiguous.

Moreover, in addition to data subjects’ right to withdraw their consent to data processing at any time, data subjects will have to be reminded of this possibility at least every six months. This obligation will continue for as long as processing of the particular data takes place.