We set out below our summaries and key takeaways from both decisions which help to highlight the latest approach of both the courts and European data protection regulators in relation to cookie consent.
CJEU Issues Judgement on Cookie Consent in Planet49 Case
By way of brief summary of the facts, Planet49 GmbH are a German online gaming company that in this case, offered a promotional lottery for which users had to register to take part by entering their postcode, which then re-directed them to enter their name and address. Below these fields, there were two bodies of text:
- The first included a checkbox and requested the consent of the user to allow Planet49 to share their personal data with commercial partners and to receive marketing from those parties. Ticking this box was mandatory to participate in the lottery.
The key takeaways from the case are as follows:
- First, a pre-selected checkbox that a user must actively uncheck to prevent giving their consent (i.e., an opt-out) does not amount of valid consent under the e-Privacy Directive, in conjunction with the GDPR, because it is not an active consent. The Court highlighted that a user may not have seen the checkbox or read the information before proceeding and providing their “consent.” Furthermore, given Recital 32 of the GDPR specifically precludes the use of “silence, pre-ticked boxes or inactivity” as constituting valid consent, it would be difficult for the Court to reach any other conclusion.
Linked to this point, the CJEU was also clear that the consent must be specific. The fact that a user clicked on a “participate” button to enter Planet49’s promotional lottery below the explanatory text was not granular enough to constitute consent to the marketing and cookie processing purposes outlined above. Each purpose must be consented to separately.
It should also be noted that the Court did not deal with the last limb of GDPR-consent (i.e., whether the consent was freely given) in relation to the first mandatory checkbox to receive marketing and specifically confirmed that it would not opine on that element in this case.
- Second, it does not make a difference whether the information stored or accessed via the cookies constitutes personal data, the GDPR consent standard should still apply to the e-Privacy Directive’s consent rule. However, in this case, the cookie data was in fact personal data because it linked a name and address to the cookie information via a registration number.
Vueling fined €30,000 for forcing users to accept cookies when visiting its website
The AEPD held that Vueling’s collection of consent from website visitors in the form of the visitor merely browsing the site was invalid, as the site provided no “management system or cookie configuration panel that allowed the user to [delete the installation of cookies on their device] in a granular way.
The €30,000 fine was later reduced to €18,000 after Vueling admitted responsibility. Importantly, the fine was issued for breaching the LSSI and not the GDPR. As such, it is important for website operators to ensure any cookie consent is compliant with not only the GDPR but also EU Member State laws.
For those who are still relying on a “soft opt-in” or opt-out standards for cookies, the CJEU judgement and the recent Spanish regulatory enforcement action signals a clear European-wide message to prioritize bringing cookie consent in line with GDPR requirements. Based on these decisions, website operators should consider reviewing their cookie consent processes, policies and notices and carry out a cookie audit to ensure appropriate levels of consent as recently recommended by the UK ICO.