The Court of Justice of the European Union has confirmed in the Planet49 case that a pre-ticked checkbox does not constitute valid consent for ePrivacy purposes.
This case provides clarity for EU website operators in the following ways:
- Active user consent (as defined in the GDPR) is required for all non-essential website cookies, whether or not those cookies contain personal data.
- The information given to a user about cookies (i.e. the cookie notice) must include the duration of the operation of cookies and whether or not third parties may have access to those cookies.
What the court said
Under the ePrivacy Directive (2002/58/EC), as amended by Directive 2009/136/EC, a user must give his or her consent before non-essential cookies can be used to store information on that user’s device.
The previous Data Protection Directive (95/46/EC) defined consent for the ePrivacy Directive as “any freely given specific and informed indication of his wishes”. The current GDPR provides an enhanced definition of consent, requiring ‘clear affirmative action’ to signify consent. Before Tuesday, it was unclear whether the GDPR definition had replaced the ePrivacy Directive definition. As a result, many EU website operators were often unsure whether to adopt a passive or active consent mechanism to obtain consent for the use of non-essential cookies.
Further, the Court of Justice stated that the concept of ‘active consent’ is now expressly laid down in the GDPR as a “freely given, specific, informed and unambiguous indication…by a statement or by a clear affirmative action”, meaning that the GDPR definition of consent applies to ePrivacy Directive.
It is now for the German court to provide its judgment following the Court of Justice’s decision, while the rest of the EU awaits the incoming ePrivacy Regulation in 2020, which will replace the existing ePrivacy Directive.
In particular, the latest draft of the ePrivacy Regulation suggests that it is likely that the requirement for cookie banners will be removed or reduced in two ways:
- By broadening the current ‘strictly necessary’ exemption to cookie consent under the ePrivacy Directive, cookies and similar technologies will be permitted:
- if necessary for transmission;
- with consent (GDPR standard);
- if necessary for the information society service requested; or
- if necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested.
- By transitioning consent management from a website operator level issue to a web browser issue. Article 9 of the latest draft permits consent to be handled by technical settings of software applications and Article 10 requires web browser software to provide options to manage cookies and inform users about those options.
The full judgment in the Planet49 case, Bundesverband der Verbraucherzentralen und Verbraucherverbände ̶ Verbraucherzentrale Bundesverband eV v Planet49 GmbH, is available here.
For advice on implementing appropriate measures in response to this judgment, please contact Miriam Everett, our Head of Data Protection & Privacy.