Germany

Court of Justice of the European Union: Users must actively consent to cookies

IRIS 2019-10:1/6

Christina Etteldorf

In a judgment of 1 October 2019 in Case C-673/17, the Court of Justice of the European Union decided that the consent necessary for storing and accessing cookies on a website user’s device was not validly constituted by way of a pre-checked checkbox that the user had to deselect to refuse his or her consent. Rather, consent must be given clearly and unambiguously in relation to the specific circumstances and with the necessary information provided.

The CJEU ruling follows a dispute in Germany between the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e. V. (Federal Union of Consumer Organisations and Associations — Federation of Consumer Organisations – vzbv) and Planet49 GmbH, an online gaming company. In 2013, Planet49 organised a lottery in which users had to enter their names and addresses in order to take part. The online form provided for this purpose included a checkbox with a preselected tick, even though the box did not need to be ticked for the user to take part. Unless they deselected the tick in the checkbox, participants agreed that cookies could be set on their device, enabling Planet49 to evaluate their surfing and user behaviour on the websites of advertising partners and thereby enabling advertising based on their interests. The vzbv brought an action before the German national courts, arguing, inter alia, that the aforementioned method of giving consent did not satisfy the requirements of German law. While the lower-instance courts upheld the action at least in part, the Bundesgerichtshof (Federal Supreme Court) referred the case to the CJEU, along with questions about the requirements of the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC) and the Data Protection Directive (Directive 95/46/EC) concerning effective consent and the information obligations of parties that process data.

In its judgment, the CJEU stressed firstly that, under Article 5(3) of the ePrivacy Directive, the storing of information, or the gaining of access to information already stored in a user’s terminal equipment was only permitted if the user concerned had given his or her consent on the basis of clear and comprehensive information in accordance with Article 2 of the Data Protection Directive. Effective consent in this context, however, required active behaviour, and consent given in the form of a preselected checkbox which users had to deselect to refuse their consent was inadequate. It also made no difference whether the information stored in or accessed from the user’s device was personal data or not. This provision of EU law was designed to protect users’ privacy and, in particular, to prevent hidden identifiers or other similar devices entering their terminal equipment. However, the CJEU did not describe in detail what kind of cookies were covered by the provision.

Regarding the clear and comprehensive information that was required for effective consent, the CJEU explained that this must put the user in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given was well informed. It must therefore be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed. According to the CJEU, this information includes the identity of the controller and the purposes of the processing, as well as the duration of the operation of the cookies and whether third parties may have access to them.

In principle, the CJEU’s judgment concerns the ‘old’ legal situation under the Data Protection Directive, which has since been replaced by the General Data Protection Regulation (GDPR). However, in relation to the GDPR, the CJEU specifically commented on the judgment’s future relevance, stating that its interpretation was borne out by the GDPR, which expressly laid down the need for active consent. Under the proposal for an ePrivacy Regulation (COM/2017/010 final), which is designed to reform the ePrivacy Directive, the restructuring of the rules on cookies is currently being debated. Rather than relaxing these rules, current discussions suggest that they will be tightened under the new provisions. However, the current trilogue procedure looks unlikely to result in an agreement in the near future.