
Of Cookies and Consent
Within the past few weeks, a challenge to the current online advertising ecosystem occurred when the Court of Justice of the European Union published its judgment in the Planet49 case. This ruling may significantly alter how publishers and third parties are able to gather data through cookies, specifically where affirmative consent is required prior to collecting any non-essential cookies.
BACKGROUND:
This case originated from a reference from the German courts to the Court of Justice concerning the requirement for consent set out in the cookie provision (Article 5(3)) of the e-Privacy Directive. Article 5(3) provides:
…. the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.
Directive 95/46/EC, the Data Protection Directive, has been repealed and replaced by the General Data Protection Regulation (GDPR). The cookie provision has been understood – at least by some – as allowing cookie banners and the assumption that surfing constitutes consent in general practice. Whether this approach is adequate was the subject of the reference.
The underlying case concerned an online lottery where the login page had two tick boxes. The first signalled consent to being contacted for marketing purposes by third-party companies. While unticked, a user had to tick the box to participate in the lottery. The second was pre-ticked. It related to the storage of cookies on the user’s device. The questions related to:
- whether a pre-ticked box was sufficient to constitute ‘consent’ within the meaning of Article 5(3) understood in the light of the Data Protection Directive (and now the GDPR); and
- the information that must be provided to users.
In short, the answer to the first question is ‘no’. Equating the conditions for consent here to those in the DPD, the Court held that some active and clear indication of consent is required. Furthermore, it is impermissible to bundle together consent for multiple purposes (e.g. data use for the purpose of delivery of the service and for sharing with third parties) as was the case here. The Court held:
“consentmust relate specifically to the processing of the data and cannot be inferred from an indication of the data subject’s wishes for other purposes”.
In addition, the Court stated that given the requirement for clear and comprehensive information to be given to the user, the data controller should inform the user as to how long the cookies would last as well as the sharing of data with third parties. Since the cookie provision was in the ePrivacy Directive which ensures the confidentiality of communications more generally, these controls are not limited to when ‘personal data’ within the sense of the GDPR are in issue but apply to data more generally.
IMPLICATIONS:
There are a number of points worthy of note. The judgment signals the end of the acceptability of the opt-out approach which pre-ticked boxes relied on. More generally, the requirement for active consent will be a blow to those sites which have relied on implied consent (ie through continued browsing). This will no longer be adequate, no matter what a privacy policy says. It should also be noted that while Article 5(3) is generally referred to as the cookie provision, it does not cover just cookies but other ‘hidden identifiers’ (see recital 24). While the directive accepted that there may be some legitimate uses for cookies, the judgment in Planet 49 does not really distinguish between those uses so it is unclear whether the Court’s approach would also apply, for example, to analytics cookies too. Further, the requirement to identify an end point for the cookies and to give information about that may lead businesses to have to rethink how long they seek to obtain data from any given cookie.
The judgment is also interesting for what it does not say. By contrast to its Advocate General, the Court expressly refrains from discussing the question of whether requiring consent to access a service (a ‘cookie wall’) constitutes freely given consent within the terms of Article 5(3) and the GDPR. This question is thus left open for the time being. It should however be noted that recent guidance from the various data protection authorities have suggested that it would be difficult to maintain cookie walls and satisfy the requirement for freely given consent, at least as found in the GDPR.
While publishers come to understand the implications of this ruling, the impact on data-driven advertisers around the world remains uncertain. But, it will certainly have some impact – at least until the currently ongoing revision to the e-Privacy Directive is finalised.