Does your cookie pop-up still rely upon a pre-checked consent tick box for installing cookies? Then you are no longer in compliance with the ePrivacy Directive (1), nor Directive 95/46/EC (2) or the General Data Protection Regulation (3). This follows from today’s judgement of the European Court of Justice (CJEU) in the case C-673/17 (Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v. Planet49 GmbH).
The case was brought by the German Federation of Consumer Organisations against a German company, Planet49, offering online games. Planet49 organised an online promotional lottery. To participate in this online lottery, users were required to enter their postcode which prompted a page containing input fields for the users’ names and addresses.
Beneath these fields, there were two check boxes;
The German Federation of Consumer Organisations considered this practice to be incompatible with data protection law and initiated proceedings before the German courts.
Following several contradictory judgements of the lower courts, the German Bundesgerichthof - judging in an appeal for review - referred the following prejudicial questions to the CJEU:
The Court of Justice considered that consent for the storage of information or access to information already stored in the terminal equipment of the user is not validly when the so-called authorisation given by the user relies upon a pre-checked tick box. The court emphasized that consent can be given in any appropriate manner allowing the user to indicate its wishes freely and that this clearly evokes an active and non-passive behaviour. This is even more so in the context of the GDPR, which imposes stricter consent requirements on data controllers.
According to the Court, these consent requirements cannot be interpreted differently depending on whether the information concerns personal data or non-personal data.
Finally, the Court also ruled that the information to be provided by the service provider includes the duration of the operation of cookies and the possibility for third parties to have access to those cookies. The Court confirms that clear and complete information needs to be provided, in particular on the purposes of processing. This information must enable the user to easily determine the consequences of the consent given and to ascertain that such consent is provided in full knowledge of the circumstances of the operation of the cookies. This additional information is necessary to ensure that the data subject is treated fairly.
Consequently, service providers that still rely upon pre-checked consent-boxes for installing cookies should erase the ☒.