As background to the case behind this, Planet49, a German online gaming company, in 2013 hosted a lottery on their website that users could enter. In order to do this, the user was presented with two checkboxes:
- The first checkbox (un-ticked by default), requested consent of the user to be contacted by sponsors or partners for marketing purposes.
- The second checkbox (ticked by default), gave the opportunity to opt out of behavioural analytics that would result in advertising based on the user’s interests.
A key point to note is that participation in this lottery could only happen if the user at least agreed to the first checkbox, acknowledging that their information could be used for marketing purposes.
The federation of German consumer organisations took an action against Planet49 on the basis that it was requesting invalid consent, as the user was not providing a freely given, specific and informed indication of their wishes. The case ended up at the CJEU, who considered the case against the applicable legal frameworks of the Privacy and Electronic Communications Directive 2002 (ePrivacy Directive), the 1995 Data Protection Directive (in effect at the time of the activity being reviewed) and the General Data Protection Regulation (GDPR), which has since come into effect.
This month’s judgement from the CJEU agreed with the earlier opinion of the Advocate General and the Court issued their findings as follows:
- Pre-ticked Boxes– Consent gained for the purposes of storing information using cookies or similar technologies is not valid if presented in a form that the user has to opt out of, using methods like pre-ticked checkboxes.
- Storage of Data (not only Personal Data) – To come in scope of consent requirements, it is not necessary that the data falls under the definition of personal data, but rather that it is data stored on a user’s terminal equipment that is not strictly necessary to provide the service to the user. This is due to the relevant provision of the ePrivacy Directive, Article 5(3), which regulates the storage of ‘information’, not solely personal data.
- Bundling of Consent– The Court did not consider the question of whether consent could be considered freely given if it is a pre-condition to other processing (in this example – agreeing to be marketed to in order to participate in a lottery) although the Advocate General’s Opinion in advance of the case did express this opinion. Should the Court be referred such a question in future we would expect a similar finding in line with Article 4(11) and Article 7(4) of the GDPR.
- Retention Periods – A user should be informed of the duration of the operation of cookies and whether third parties may have access to those cookies.
Operators of websites should take measures in light of this judgement to ensure that they have appropriate transparency and control mechanisms in place. Among items for consideration are:
- Ensure that when processing based on consent, that consent is freely given, informed and specific to the purpose it is being collected for – no pre-ticked boxes and no requiring consent as a pre-condition to other processing.
- Provide appropriate control mechanisms to manage consents. Consent should be as easy to withdraw as it was to give.
- Address the increased transparency requirements in terms of communicating retention periods for cookies and similar technologies.
The interplay between ePrivacy and the GDPR is clear in this judgement and it provides further reinforcement to the recent cookie guidance issued by European data protection authorities while also extending the transparency requirement to include information about retention periods and third party access. Website operators should review how these are presented accordingly.
Trilateral’s advisors can support you in meeting your compliance needs. For more information visit Trilateral’s Data Governance page and contact our team.