Update Data Protection No. 66
CJEU: Pre-checked consent to the use of cookies is inadmissible
On October 1, 2019 the Court of Justice of the European Union (CJEU) ruled that pre-ticked boxes do not constitute a valid consent by web users prior to storing cookies on their devices (Verbraucherzentrale Bundesverband e.V. and Planet49 GmbH; Case C-673/17). The decision follows a challenge by the German Federation of the Consumer Organisations against the use of a pre-ticked checkbox which had, by default, consented to cookies on behalf of the user.
Background
The case at hand arose from a lottery organised by Planet49 GmbH, on its website. In order to register as a participant, the website users were required to enter their names and addresses. Beneath the input fields for the address, were two sets of checkboxes.
The first checkbox was not pre-ticked, and asked for participants’ consent to being contacted by sponsors regarding their commercial offers. The second checkbox, which was already pre-ticked, asked for participants’ consent to have cookies placed on their devices for the purpose of providing targeted ads. Users were not informed about the fact that participation in the competition would have been possible without a check mark in this box.
The Bundesverband (Federation of German Consumer Organisations) instituted court proceedings against Planet49 alleging that the latter’s declaration of consent used for the lottery was insufficient and did not meet the mandated requirements of informed and freely given consent. Additionally, the consent did not cover the transfer of the users’ personal data to Planet49’s partners and sponsors. The Bundesverband brought an action seeking injunction before the Landgericht Frankfurt a.M. (Regional Court Frankfurt) requiring Planet49 to cease using such declarations. The LG Frankfurt a.M. granted the injunction, causing Planet49 to appeal to the Oberlandesgericht Frankfurt a.M. (Higher Regional Court Frankfurt). The OLG Frankfurt a.M. partially granted the appeal of Planet49 GmbH and decided that the granting of consent to the use of cookies was also possible by way of a pre-formulated declaration, which could be contradicted by unticking a preset check mark. The OLG Frankfurt dismissed the complaint as unfounded since it was of the opinion that the users were aware that the preset check mark could have been unticked at any point of time. The court deemed it unnecessary to disclose the identity of third parties that were able to access the information collected by Planet49.
The Federation appealed this decision of the OLG to the Bundesgerichtshof (Federal Court of Justice in Germany). The BGH then sought preliminary ruling from the CJEU. Specifically, the BGH asked the CJEU the following questions: (1) whether a pre-ticked check box that the user must deselect to refuse the use of cookies would constitute a valid consent within the meaning of the Data Protection Directive for Electronic Communications 2002/58 (“ePrivacy Directive”) in conjunction with the GDPR; and (2) what information does the service provider have to give with respect to the use of cookies, and must that information include the duration of the functioning of the cookies and whether third parties are given access to the cookies.
Decision of the CJEU on questions referred
Preselected checkbox a valid consent for use of cookies?
The CJEU held that the consent required for the storage and retrieval of cookies on the user’s device, if applicable, is not given effectively by way of a preset checkbox, which the user may have to deselect. The Court decided that active consent is not evidenced by including pre-ticked boxes – silence, pre-ticked boxes or inactivity is precluded from constituting consent.
This decision of the Court is based on Article 5(3) of the ePrivacy Directive, which requires Member States to ensure that the storage of and access to cookies is only permitted if the user concerned has given his consent on the basis of clear and comprehensive information for the purposes of processing. The ePrivacy Directive defines consent as "any freely given, specific and informed expression of intention by which the data subject accepts that personal data relating to him or her will be processed".
Art. 6 para. 1 of the GDPR lays down strict requirements regarding the lawfulness of the processing of personal data and the concept of consent. According to Art. 4 para. 11 of the GDPR, effective consent requires a "voluntary, informed and unambiguous expression of intent in the form of a statement or other unambiguous confirmatory act". The 32nd recital of the GDPR states that “silence, ticked boxes or inactivity” do not constitute consent within the meaning of Art. 6 of the GDPR.
The CJEU held that consent must be unambiguous and only active behaviour on the part of the user to give his/her consent may fulfil that requirement. The Court further stated that in the case of consent obtained through a preset checkbox, active behaviour on the part of the user cannot be assumed, since it is possible in principle that the user may not have read the information attached to the preset checkbox or may not have taken any notice of it at all, as a result of which it cannot be established whether consent is actually based on knowledge of the facts.
Does it make any difference whether the information stored or retrieved in the user’s device is personal data?
The CJEU was of the opinion that users should be protected from any invasion of their privacy, regardless of personal data being involved or not. Visitors to a website should in particular be protected against the risk of so-called "hidden identifiers" or similar instruments penetrating their devices.
Art. 5 para 3 of the ePrivacy Directive concerns the “storage of information” and access to information that has already been stored, wherein this “information” has not been described in more detail. According to the CJEU, there is therefore no indication that the information concerned must mandatorily be personal data.
Does the duty to provide information as laid down in Article 5(3) of the ePrivacy Directive include information about the duration of the functioning of cookies and information about the access rights of the third parties?
According to the CJEU ruling, users must be fully informed about the use of cookies prior to consent is given.
Specifically, "the clear and comprehensive information must enable the user to easily determine the consequences of any consent given by him and ensure that the consent is given with full knowledge of the facts. The information shall be sufficiently clear and detailed to enable the user to understand the operation of the cookies used".
Art. 10 of the Directive 95/46, to which Art. 5 para. 3 of the ePrivacy Directive refers, and Art. 13 of the GDPR list the information which the user must obtain from the website operator responsible for processing the data. This information includes the identity of the controller, the intended purposes for the processing and other information such as the recipients or categories of recipients of the data.
Although the duration of the processing of the data is not amongst the information listed above, the CJEU is of the opinion that the phrase “at least the following information” in Art. 10 of Directive 95/46 indicates that the list of required information is not an exhaustive list. The CJEU stated that the information on the duration of the functioning of cookies is also covered by the duty to provide information in accordance with the principle of good faith. In order to ensure fair and transparent processing of the data, a website operator must also inform the user of the duration of the functioning of the cookies. If this is not possible, it must inform the user about the criteria for determining the duration of the data storage.
Information about the access rights of third parties to cookies constitutes ‘information’ within the meaning of Art. 10(c) of Directive 94/46 and within the meaning of Art. 13 para. 1(e) of the GDPR, since they expressly state that the data controller must inform the users of the recipients or categories of recipients of the data at the time that the data is collected.
In conclusion, the service provider must inform the users comprehensively about both, the functional life of cookies as well as about the access of third parties to the cookies.
Implications of the decision
With its ruling, the CJEU strengthened the position of users. It held that the users should be protected from any invasion of their privacy. The court made it clear that an internet user must actively agree to the installation of cookies, provided consent is required for the same. A pre-checked box does not satisfy the requirements of European data protection law.
Further, the court held that stringent requirements regarding the duty to provide information about the functioning and access to cookies must be observed. All cookies requiring consent for advertising, analysis and tracking are hit by these requirements. Even websites that have previously used so-called “cookie-banners” do not meet the data protection standards of the Court of Justice of the European Union (CJEU), in most cases. On the one hand, such banners can be easily removed from the screen with just a quick click without requiring further consent – wherein a single click on a button reading “OK” or “I understand” can be regarded as a valid declaration of consent, provided that the cookie banner includes a detailed information text. On the other hand, very few of these banners require users to actively confirm their consent, for example by ticking a box. A cookie banner with the note “Whoever uses this website implicitly agrees to the use of cookies” can no longer be interpreted as a valid declaration of consent. In addition to this, there is often a lack of sufficient information about the cookies, their functions and their duration of functioning. It is vital to note that cookies are only to be installed if a cookie banner or a preference centre has actively agreed to them in advance.
The guidelines laid down by the CJEU essentially reflect the principles developed by the Conference of the Independent Data Protection Supervisory Authorities of the Federal Government and the Länder (DSK). Earlier this year, the DSK had declared in a legally non-binding orientation guide that the data protection provisions of national law were no longer applicable under the GDPR.
No CJEU statement regarding the conditions under which a cookie is subject to mandatory consent (Art. 6(1) GDPR)
It is worth noting that in its judgement, the CJEU has predominantly interpreted the old ePrivacy Directive in the version 2009/136 (“Cookie Directive”), which does not make any statement about the lawfulness of data processing per se. The CJEU makes no comment about whether a declaration of consent is required for certain types of cookies, tracking and online marketing, as tended to be required by German data protection supervisory authorities. Further, the CJEU makes no mention about whether data processing is justified on the basis of a legitimate interest pursuant to Art. 6 para. 1(f) of the GDPR, as it is often advocated in literature. In practice however, one should now ask oneself whether - in addition to a possibly required declaration of consent for the installation of cookies – a declaration of consent for the tracking and marketing tools used should also be obtained at the same time.
Looking ahead – steps that website operators should take
Website operators should first determine whether or not cookies are required to be installed in browsers when their website is accessed. If they decide to install the cookies, then the second step would be to determine what type of cookies are used. Only those cookies that are vital for the use of the website in order to guarantee full functionality of the website and those cookies that can be justified under Art. 6 para.1(f) of the GDPR do not require user’s consent.
With regard to cookies that require consent, it must be ensured that the respective cookie is not installed until the user has actively consented to its use. Prior installation of the cookie on the user’s browser is not permitted. Mere indication about the use of cookies does not fulfil the requirements for effective consent. Therefore, website operators must offer the users an active consent option. To this end, it is advisable to divide the cookies used into categories according to their purpose (e.g. into "analysis cookies" and "marketing cookies" or "comfort cookies", "statistics cookies” and "personalisation cookies”) and to describe these categories in more detail, as is more frequently the case in so-called "preference centres" before the start of the use of a website. The user should be able to accept different cookies on the basis of their function. It might also be possible to adopt a user-friendly “Select All” button, which may be used to consent to all the cookie categories displayed, at the same time. This would counteract the risk of “consent tired” Internet users closing the cookie notification without individually giving their consent, in order to avoid frequent clicking.
It still remains questionable whether or not a data protection supervisory authority can impose a fine, in the event a German website failed to obtain effective cookie consent. Neither the Cookie Directive nor the old TMG provide for the million euro fines as is done by the GDPR. The supervisory authorities have expressed the view that the TMG is no longer applicable. A higher fine is therefore only imminent if the data processing is carried out by way of a cookie that violates the GDPR. It should be emphasised that the CJEU has not made a statement regarding this important issue.