Wednesday 2 October 2019

CJEU confirms stricter requirements for valid cookie consent - case C-673/17 Planet49

Yesterday the Court of Justice delivered its judgment in case C-673/17 Planet49, concerning the requirements for a valid consent to the storage of cookies. The judgment largely falls in line with the previous opinion of Advocate General Szpunar, on which we reported in an earlier post (see: Pre-ticked checkboxes NOT informed consent...).

Background of the case

Source: Pixabay
To recall, the case involved a promotional lottery whose prospective participants were asked, among others, to provide personal details and agree to be contacted by various sponsors. Besides several items, to which users agreed by ticking corresponding boxes, the form included another, already pre-ticked checkbox, which concerned the placement of cookies by Planet49. German consumer organisation vzbv questioned the validity of such 'consent' under Directive 2002/58/EC on privacy and electronic communications. Following a 2009 amendment, Article 5(3) of that Directive required Member States to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user is only allowed on condition that the user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.

As readers may remember, Directive 95/46/EC was, in the meantime, repealed and replaced by the General Data Protection Regulation. The E-Privacy Directive was also supposed to be replaced with a regulation, with the aim to increase coherence with the GDPR. The respective proposal, however, got stuck in the legislative pipeline. The Court was not distracted by these facts and decided to interpret Directive 2002/58 in the light of both Directive 95/46 and Regulation 2016/679.

Judgment of the Court

First of all, the Court agreed with the Advocate General that consent referred to in Article 2(f) and in Article 5(3) of Directive 2002/58 cannot validly be obtained by way of a pre-ticked checkbox which the user must deselect to refuse his or her consent. To support this conclusion, the Court referred to the requirements for consent to be 'specific' and 'unambiguous' under Directive 2002/58 as well as the even more detailed wording of the GDPR.

Importantly, the Court did not elaborate on the requirement that consent must be ‘freely given’, arguing that a corresponding question had not been asked by the referring court. Response to such a question - one of major importance to the digital economy - would involve an assessment whether user’s consent to the processing of personal data for advertising purposes constituted a prerequisite to that user’s participation in a promotional lottery. As noted in our previous post, the Advocate General elaborated on this matter in a way that was subject to criticism. Against this background, self-restraint showed by the Court is to be welcomed.

As regards the question whether the interpretation set out above should differ, depending on whether or not the information stored or accessed on user's terminal equipment qualifies as personal data, the Court responded with a clear 'no'. This remains in line with the rationale of Directive 2002/58 which aims to protect the user (including natural persons acting for business purposes) from interference with his or her private sphere, regardless of whether or not that interference involves personal data.

Finally, as regards the scope of information to be provided to the user before obtaining his or her consent, the Court opted for a broad reading of Article 5(3) of Directive 2002/58 in conjunction of Article 10(c) of Directive 95/46 and Article 13(1)(e) of the GDPR. In this respect, the Court, once again, sided with the Advocate General, stressing that "clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed" (para. 74). The Court considered that information on both the duration of the operation of cookies and whether or not third parties may have access to them had to be provided to the user.
 
Concluding thought

The judgment in Planet49 strengthens the protection of privacy in the digital sphere, not only of consumers stricto sensu, but of internet users more generally. Moreover, the Court confirmed that the standard of 'cookies protection' does not depend on whether or not user's personal data is involved. Privacy, according to this reading, concerns the very fact of placing pieces of software on user's 'terminal equipment'. This resembles the way in which some consumer authorities have read the notion of 'aggressive practices' under Directive 2005/29/EC on unfair commercial practices, also beyond the cookie context (see especially the Italian decision against Facebook). Whether or not such an approach to the UCPD will hold, and how it might be related to standards of disclosure, is still an open question (on the latter, see the judgment of the Court in Wind Tre, para. 45 et seq). When it comes to the E-Privacy Directive these questions do not emerge: here, without doubt, the duty to inform provides a further layer of protection to the one provided by the consent framework. The E-Privacy Directive, therefore, is quite remarkable: it combines high standards of consumer law and data protection law and applies them beyond their traditional scope. Hopefully, internet users will truly be able to benefit from it.