Privacy Laws

Website Cookie Consent: Is the Cookie Starting to Crumble?

By WILLIAM RM LONGELEANOR DODDING AND JASMINE AGYEKUM

Two important decisions have recently occurred relating to website operators’ use of cookies.  First, the Court of Justice of the European Union (the “CJEU” or the “Court”) has issued its judgement in Planet49, a case which looked at the standards of consent and transparency for the use of cookies and similar technologies in the context of the e-Privacy Directive and the GDPR and determined that opt-out consent, by way of a pre-ticked checkbox, was insufficient to obtain GDPR-standard consent for non-essential cookies.  Second, the Spanish data protection authority, AEPD, fined Vueling, a Spanish airline, €30,000 for forcing visitors to its website to accept the use of non-essential cookies on their device in order to continue viewing the website.

We set out below our summaries and key takeaways from both decisions which help to highlight the latest approach of both the courts and European data protection regulators in relation to cookie consent.

CJEU Issues Judgement on Cookie Consent in Planet49 Case

On October 1, 2019 the CJEU issued its judgement in Planet49, a case which looked at the standards of consent and transparency for the use of cookies and similar technologies in the context of the e-Privacy Directive and the GDPR. In particular, the Court ruled that opt-out consent, by way of a pre-ticked checkbox, is insufficient to obtain a GDPR-standard consent to the storage of non-essential cookies required by the e-Privacy Directive.

By way of brief summary of the facts, Planet49 GmbH are a German online gaming company that in this case, offered a promotional lottery for which users had to register to take part by entering their postcode, which then re-directed them to enter their name and address. Below these fields, there were two bodies of text:

  1. The first included a checkbox and requested the consent of the user to allow Planet49 to share their personal data with commercial partners and to receive marketing from those parties. Ticking this box was mandatory to participate in the lottery.
  2. The second body of text included a pre-selected checkbox which allowed users to opt-out of the use of cookies by unticking the checkbox. The cookies were placed to allow Planet49 and its web analytics provider, to provide targeted behavioural advertising to users. Participation in the lottery was possible whether or not this box remained ticked.

The key takeaways from the case are as follows:

  • First, a pre-selected checkbox that a user must actively uncheck to prevent giving their consent (i.e., an opt-out) does not amount of valid consent under the e-Privacy Directive, in conjunction with the GDPR, because it is not an active consent. The Court highlighted that a user may not have seen the checkbox or read the information before proceeding and providing their “consent.” Furthermore, given Recital 32 of the GDPR specifically precludes the use of “silence, pre-ticked boxes or inactivity” as constituting valid consent, it would be difficult for the Court to reach any other conclusion.

Linked to this point, the CJEU was also clear that the consent must be specific. The fact that a user clicked on a “participate” button to enter Planet49’s promotional lottery below the explanatory text was not granular enough to constitute consent to the marketing and cookie processing purposes outlined above. Each purpose must be consented to separately.

It should also be noted that the Court did not deal with the last limb of GDPR-consent (i.e., whether the consent was freely given) in relation to the first mandatory checkbox to receive marketing and specifically confirmed that it would not opine on that element in this case.

  • Second, it does not make a difference whether the information stored or accessed via the cookies constitutes personal data, the GDPR consent standard should still apply to the e-Privacy Directive’s consent rule. However, in this case, the cookie data was in fact personal data because it linked a name and address to the cookie information via a registration number.
  • Lastly, website operators will need to ensure that users are provided with “clear and comprehensive” information to inform their decision as to whether or not to consent to the use of cookies. In particular, the CJEU considers website operators will need to inform users about the duration of the cookie lifespan and whether third parties will have access to the cookies.

Vueling fined €30,000 for forcing users to accept cookies when visiting its website

On September 6, 2019, AEPD fined Vueling, a Spanish airline, €30,000 for forcing visitors to its website to accept the use of non-essential cookies on their device in order to continue browsing the website.  Visitors to the Vueling website were informed that “you can configure the browser to accept or reject by default all cookies” or they could “revoke at any time the consent given for the use of cookies by Vueling… [or adjust] the browser settings to prevent the installation of cookies”.

The AEPD found Vueling had breached Article 22.2 of the Law on Information Society Services (LSSI) after finding the Vueling website implied consent for the use of cookies on the visitors’ devices, and the subsequent transfer of data to third parties, by the visitor merely browsing the website.

The AEPD held that Vueling’s collection of consent from website visitors in the form of the visitor merely browsing the site was invalid, as the site provided no “management system or cookie configuration panel that allowed the user to [delete the installation of cookies on their device] in a granular way.

Under Article 22.2 of the LSSI, service providers may impose cookies on a user’s device provided (i) the consent of the user has been obtained, and (ii) prior to the user granting consent, the user had been provided with clear and complete information on the use of cookies, including the purposes of the data processing.

The €30,000 fine was later reduced to €18,000 after Vueling admitted responsibility. Importantly, the fine was issued for breaching the LSSI and not the GDPR. As such, it is important for website operators to ensure any cookie consent is compliant with not only the GDPR but also EU Member State laws.

Conclusions

Both the CJEU’s findings and the decision of the Spanish AEPD largely echo recent regulatory guidance issued on obtaining clear consent to the use of cookies and similar technologies (e.g., guidance from the French CNIL and the UK’s ICO (which we discuss in an earlier Data Matters blog post)).

For those who are still relying on a “soft opt-in” or opt-out standards for cookies, the CJEU judgement and the recent Spanish regulatory enforcement action signals a clear European-wide message to prioritize bringing cookie consent in line with GDPR requirements. Based on these decisions, website operators should consider reviewing their cookie consent processes, policies and notices and carry out a cookie audit to ensure appropriate levels of consent as recently recommended by the UK ICO.