Of Cookies and Consent

Within the past few weeks, a challenge to the current online advertising ecosystem occurred when the Court of Justice of the European Union published its judgment in the Planet49 case. This ruling may significantly alter how publishers and third parties are able to gather data through cookies, specifically where affirmative consent is required prior to collecting any non-essential cookies.

BACKGROUND:

This case originated from a reference from the German courts to the Court of Justice concerning the requirement for consent set out in the cookie provision (Article 5(3)) of the e-Privacy Directive.  Article 5(3) provides:

…. the  storing  of  information,  or  the  gaining   of   access   to   information   already   stored,   in   the   terminal   equipment  of  a  subscriber  or  user  is  only  allowed  on  condition  that  the  subscriber  or  user  concerned  has  given  his  or  her  consent,  having  been  provided  with  clear  and  comprehensive  information,  in  accordance  with   Directive   95/46/EC,   inter   alia,   about   the   purposes   of   the   processing.

Directive 95/46/EC, the Data Protection Directive, has been repealed and replaced by the General Data Protection Regulation (GDPR).   The cookie provision has been understood – at least by some – as allowing cookie banners and the assumption that surfing constitutes consent in general practice. Whether this approach is adequate was the subject of the reference.

The underlying case concerned an online lottery where the login page had two tick boxes.  The first signalled consent to being contacted for marketing purposes by third-party companies. While unticked, a user had to tick the box to participate in the lottery.  The second was pre-ticked. It related to the storage of cookies on the user’s device.  The questions related to:

  • whether a pre-ticked box was sufficient to constitute ‘consent’ within the meaning of Article 5(3) understood in the light of the Data Protection Directive (and now the GDPR); and
  • the information that must be provided to users.

In short, the answer to the first question is ‘no’.  Equating the conditions for consent here to those in the DPD, the Court held that some active and clear indication of consent is required.  Furthermore, it is impermissible to bundle together consent for multiple purposes (e.g. data use for the purpose of delivery of the service and for sharing with third parties) as was the case here. The Court held:

consentmust relate specifically to the processing of the data and cannot be inferred from an indication of the data subject’s wishes for other purposes”.

In addition, the Court stated that given the requirement for clear and comprehensive information to be given to the user, the data controller should inform the user as to how long the cookies would last as well as the sharing of data with third parties.  Since the cookie provision was in the ePrivacy Directive which ensures the confidentiality of communications more generally, these controls are not limited to when ‘personal data’ within the sense of the GDPR are in issue but apply to data more generally.

IMPLICATIONS:

There are a number of points worthy of note. The judgment signals the end of the acceptability of the opt-out approach which pre-ticked boxes relied on.  More generally, the requirement for active consent will be a blow to those sites which have relied on implied consent (ie through continued browsing). This will no longer be adequate, no matter what a privacy policy says.  It should also be noted that while Article 5(3) is generally referred to as the cookie provision, it does not cover just cookies but other ‘hidden identifiers’ (see recital 24).  While the directive accepted that there may be some legitimate uses for cookies, the judgment in Planet 49 does not really distinguish between those uses so it is unclear whether the Court’s approach would also apply, for example, to analytics cookies too.  Further, the requirement to identify an end point for the cookies and to give information about that may lead businesses to have to rethink how long they seek to obtain data from any given cookie.

The judgment is also interesting for what it does not say.  By contrast to its Advocate General, the Court expressly refrains from discussing the question of whether requiring consent to access a service (a ‘cookie wall’) constitutes freely given consent within the terms of Article 5(3) and the GDPR.  This question is thus left open for the time being. It should however be noted that recent guidance from the various data protection authorities have suggested that it would be difficult to maintain cookie walls and satisfy the requirement for freely given consent, at least as found in the GDPR. 

While publishers come to understand the implications of this ruling, the impact on data-driven advertisers around the world remains uncertain. But, it will certainly have some impact – at least until the currently ongoing revision to the e-Privacy Directive is finalised.