CJEU rules: pre-ticked checkboxes do not constitute valid cookie consent

Does your cookie pop-up still rely upon a pre-checked consent tick box for installing cookies? Then you are no longer in compliance with the ePrivacy Directive (1), nor Directive 95/46/EC (2) or the General Data Protection Regulation (3). This follows from today’s judgement of the European Court of Justice (CJEU) in the case C-673/17 (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v. Planet49 GmbH).

The case

The case was brought by the German Federation of Consumer Organisations against a German company, Planet49, offering online games. Planet49 organised an online promotional lottery. To participate in this online lottery, users were required to enter their postcode which prompted a page containing input fields for the users’ names and addresses.

Beneath these fields, there were two check boxes;

1. The first one requested consent for processing of personal data for marketing purposes and was not pre-checked.
2. The second box, a pre-ticked one, requested consent for cookies that were used to retrieve information that enabled more user-friendly and effective advertising.

The German Federation of Consumer Organisations considered this practice to be incompatible with data protection law and initiated proceedings before the German courts.

Prejudicial questions

Following several contradictory judgements of the lower courts, the German Bundesgerichthof - judging in an appeal for review - referred the following prejudicial questions to the CJEU:

• Does a pre-checked tick box which the user must unselect to refuse his/her consent for the storage of information or access to information already stored in the user’s terminal equipment constitute a valid consent within the meaning of the ePrivacy Directive, the Directive 95/46/EC and the GDPR?
• Does the answer to the foregoing question differ if the information stored or accessed does not constitute personal data?
• Does the information notice given by the service provider need to include information on (1) the duration of the operation of cookies and (2) whether or not third parties are given access to the cookies?

The Court of Justice considered that consent for the storage of information or access to information already stored in the terminal equipment of the user is not validly when the so-called authorisation given by the user relies upon a pre-checked tick box. The court emphasized that consent can be given in any appropriate manner allowing the user to indicate its wishes freely and that this clearly evokes an active and non-passive behaviour. This is even more so in the context of the GDPR, which imposes stricter consent requirements on data controllers.

According to the Court, these consent requirements cannot be interpreted differently depending on whether the information concerns personal data or non-personal data.

Finally, the Court also ruled that the information to be provided by the service provider includes the duration of the operation of cookies and the possibility for third parties to have access to those cookies. The Court confirms that clear and complete information needs to be provided, in particular on the purposes of processing. This information must enable the user to easily determine the consequences of the consent given and to ascertain that such consent is provided in full knowledge of the circumstances of the operation of the cookies. This additional information is necessary to ensure that the data subject is treated fairly.

Consequently, service providers that still rely upon pre-checked consent-boxes for installing cookies should erase the ☒.

Liesa Boghaert

References:

• 1) Directive 2002/58/EC of the Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
• 2) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
• 3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).