The ECJ rules on the matter of pre-ticked checkboxes and cookie consent
With a recent decision (C-673/17) dated October 1 2019, the European Court of Justice ruled on a reference for a preliminary ruling proposed by the Bundesgerichtshof (the German Supreme Court), concerning the validity of the consent to use cookies, given by means of pre-ticked checkboxes.
The dispute arose from an online promotional lottery organised by Planet49, where users were asked to agree to set cookies on their terminals, aimed at collecting information in order to promote the products of Planet 49’s partners. Users gave their consent by a pre-checked box (and could deny their consent by de-selecting it). The privacy notice did not specify that the data would be shared with third parties.
In order to seek an injunction against Planet 49, the German Federation of Consumer Organisations brought an action before the Frankfurt Tribunal, which granted the claim and enjoined Planet 49 from the use of those checkboxes. However, this decision was overturned on appeal: in fact, the judge of second instance found that users were aware of the possibility to deselect checkboxes, were provided with clear information on the use of cookies, and that the disclosure of the identity of third parties that could access the information collected was not necessary. This decision was therefore appealed by the German Federation before the German Supreme Court, which raised two preliminary questions before the EU Court of Justice.
With the first preliminary question, the German judge asked if, under EC Directives no. 2002/58 and 95/46 on the protection of personal data, in the event of pre-ticked checkboxes, user’s consent to the storage of information in his own terminal (or to access to the information already stored there) should be deemed valid, also pursuant to the recent Article 6(1) of the GDPR. In addition, the judge asked if that answer could be affected by the fact that the information stored or accessed is personal data.
The Court of Justice preliminarily pointed out that, although the GDPR has come into force after the dispute, it has been correctly taken into consideration by the referring court, since, in view of a possible injunction against future conducts of Planet49, it could be applied in the main proceedings.
As to the merit, the Court of Justice first of all recalled that Article 5(3) of Directive no. 2002/58 allows the storage of and the access to information on the user’s terminal, only on condition that the latter has expressly given his consent, after having been informed clearly and comprehensively about the purposes of the processing under Directive no. 95/46.
Although Article 5 does not indicate the way in which that consent must be given, it is likely that an active behaviour is required, since the provision expressly states that the user must have “given his or her consent”. In addition, the wording of this provision has been substantively amended by Directive EU 2009/136, that replaced the “right to refuse” the storage of cookies with the consent requirement, so that user consent may no longer be tacitly given with a non-denial.
Moreover, Directive no. 95/46 is also suitable to be interpreted as above, because the ‘indication of wishes’ provided by Article 2 seems to require an active rather than a passive behaviour, and Article 7(a) provides that the consent must be ‘unambiguous’, so that only an active behaviour can meet this last requirement.
Lastly, according to Directive no. 95/46, the data subject’s indication of wishes must be “specific” (now also by virtue of Article 4(11) of GDPR), meaning that it must signify his agreement to the specific data processing relating to him and cannot be inferred from an indication of wishes related to a different processing.
The EU Court of Justice therefore concluded that, pursuant to the aforementioned provisions (including those in the GDPR), it could not be assumed from those pre-selected checkboxes that the user had objectively and unequivocally expressed his consent to set cookies on his terminal. Furthermore, as consent must be specific, the user’s click on the “play the game” button could also not automatically be intended as his consent to use cookies.
It is worth noting that the position of the Italian Data Protection Authority, traditionally opposed to the use of pre-selected checkboxes, has always been consistent with this finding of the ECJ.
As for the additional question, according to the Court, since Article 5(3) does not specify that the information stored must be “personal data”, the characterisation of such information does not affect the above interpretation.
With the second preliminary question, the German supreme court asked whether Article 5(3) must be interpreted as meaning that the website user must be provided with information on the duration of the operation of cookies and on whether or not third parties may have access to those cookies.
On this issue, the Court of Justice recalled that, on the one hand, the possibility of third parties access to cookies is expressly included among the essential information to be provided to the data subject, under Directive no. 95/46 and also under GDPR, which expressly refers to recipients (or categories of recipients) of the data. On the other hand, although the duration of the operation of cookies is not expressly mentioned by Article 10 of Directive no. 95/46 among the information to be necessarily provided to the data subject, it is essential information, as confirmed by Article 13(2)(a) of GDPR, according to which the data processor must indicate the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.