If you have an online business, you are using cookies or a similar type of technology.
If you have an online business, you are using cookies or a similar type of technology.
Primarily, cookies refer to the information created by the webpage and then stored about the user of that website’s browser.
This data is captured to relay back to the originating website, details of where a user visits online, his/her name, passwords, preferences, among other vital pieces of data.
With this in mind, the EU's Court of Justice (CJEU) judgment on the Planet 49 case should not come as a surprise to you. This much-anticipated ruling focused on cookie consent and compliance under the General Data Protection Regulation (GDPR) 2016/679/EU and the Privacy and Electronic Communications Directive (ePrivacy Directive) 2002/58/EC.
Essentially, the CJEU was mandated to provide an interpretation of the EU law that governs the utilization of cookies after a referral from the German Federal Court of Justice. Therefore, this article outlines the key takeaways from this ruling that are applicable to online businesses.
Background to the Case
Explore more privacy compliance insights and best practices
In 2013, Planet49 GmBH, a German gaming firm, set up a promotional lottery. To become part of the final draw, users were required to provide their name, address, and postcode. Under the input fields for their address, users were given two descriptive statements coupled with checkboxes.
Interestingly, the lottery's terms and conditions stated that users could only take part if at least the first checkbox was ticked. Nonetheless, they could opt-out of the use of cookies, if they unchecked the second checkbox manually.
CJEU’S Judgement and Main Takeaways
According to the ruling, active consent is clearly outlined in the GDPR. Primarily, Article 4 (11) calls for an unmistakable indication of the individual’s wishes, by either a statement or vivid affirmative action.
Furthermore, Recital 32 of the GDPR provides that silence, pre-checked boxes, or inactivity should not be presumed as consent. In this context, the CJEU interpreted that only active conduct on the part of the data subject to provide his/her consent may meet this obligation.
Based on this determination, businesses cannot;
The CJEU's decision makes it clear that information extended to users must show the life span of every cookie and whether any third parties may have access to the cookies in question. The court reiterated that this requirement is a component of the vivid and detailed information needed under Article 5(3) of the ePrivacy Directive and Article 13(2)(a) of the GDPR.
According to the CJEU, the core objective of giving a user 'clear and detailed' information regarding the handling of information before getting consent for the use of cookies it to make sure that the consumer can 'determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.’
It is important to note that although the CJEU decision validates the requirement to inform consumers about third-party access to their cookie information, it does not explicitly require such parties to be identified explicitly. This aspect is consistent with Article 13(1)(e) of the GDPR.
Therefore;
This judgment confirms that for consent to be valid under the GDPR, it has to be ‘specific.’ Essentially, consent ‘must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.’
This point implies that the mere act of a consumer clicking on the participate button for the promotional lottery is not enough to conclude that a user legitimately gave his/her consent to the storage of cookies or the dissemination of his/her information with relevant third-parties.
In practice;
Issues not Clarified by Planet 49 Judgment
Although the ruling offers crucial clarifications for cookie consent obligations, the CJEU did not address the question of whether consent to the handling of personal information for advertising can be 'freely given' in instances where such permission is a prerequisite for that user's participation in the lottery.
Comment
The Planet 49 ruling is a valuable reminder that you need to take cookie compliance seriously and evaluate current practices to ensure that you satisfy applicable requirements.
Furthermore, the decision further outlines the required threshold for cookie consent and reaffirms the complementary nature of the GDPR and the ePrivacy Directive.
Do not find yourself on the wrong side of both the GDPR and the ePrivacy Directive cookie consent requirements. Our free GDPR and ePrivacy Regulation e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR and the ePrivacy Directive.
Alternatively, Schedule a call with us today and get expert guidance on what you need to do to avoid unnecessary penalties for cookie consent violations under the GDPR and the ePrivacy Directive.
Schedule a call to learn more
