- 04 October 2019
What are cookies?
Cookies are small text files which are stored on devices by website browsers. If a website has access to these cookies, it can identify the user of the device and use this information at a later time to track the user across the internet. Cookies are used primarily to assist with the functionality of a website (e.g. remembering products for on-line check outs) and to tailor any marketing to the individual user. Information which may be stored by cookies could include for example language preferences, time and length of visit, content of website viewed and advertisements accessed.
The Directive 2002/58/EC, commonly known as the e-Privacy Directive governs digital marketing and the protection of user’s privacy with electronic communications.
Article 5(3) of the e-Privacy Directive requires that the storing of or gaining access to cookies is allowed only on the condition that the user concerned has given their consent having been provided with ‘clear and comprehensive information’ about the purpose of the processing. Consent in this context bears the same meaning as consent under the predecessor of the General Data Protection Regulation (GDPR), the Data Protection Directive.
An exemption applies for cookies which are strictly necessary for the operation of the site.
If a profile is built from cookies on the particular device and is used with the intention of determining the identity of the user, that profile may comprise personal data. In other words, if a website operator seeks to use the cookies to identify a particular individual and to target advertising at them, compliance with the GDPR may also be necessary.
The Planet49 case
A hyperlink to the cookie checkbox contained a statement which included information about the use and purpose of the cookies but did not identify the duration of intended use or the identity of users of such cookies.
A German consumer group, the Federation of Consumer Organisations, Germany (‘Federation’) brought an action against Planet49 requiring it to cease using the checkboxes.
The Regional Court of Frankfurt am Main, Germany upheld in part the claim by the Federation and on hearing an appeal by Planet49, the German Federal Court of Justice referred certain questions concerning the interpretation of the e-Privacy Directive to the CJEU.
Consent by Active Behaviour
The CJEU considered the relevant law regarding consent, being Articles 2(h) and 7(a) of the Data Protection Directive. These provide that consent is ‘any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement”, and such consent will be lawful if it is given ‘unambiguously’.
The Court determined that the requirement for the user to provide an ‘indication’ of wishes clearly points to the need for active rather than passive behaviour. (Para 52 of the CJEU judgment).
Further it would be impossible to ascertain objectively whether consent had been given or whether that consent was informed where a user did not de-select a pre-ticked check box (Para 55).
Consent therefore will not be validly given if the storage of and access to cookies is permitted by way of a pre-checked tick box which the user must then de-select (Paras 57 and 65).
The Court pointed out that the successor to the Data Protection Directive, the GDPR, expressly precludes silence or pre-ticked boxes as constituting consent.
Is Consent Freely Given?
It is interesting that the Court was not asked to consider whether the first checkbox used by Planet49, complied with the requirement that consent be freely given.
The first checkbox used by Planet49 required the user to provide its consent to use of personal data for marketing as a pre-condition to enter the lottery.
It is possible that in the context of the current data protection regime, consent would not have been found to be ‘freely given’; there was no genuine and real choice as without consent, permission to participate in the lottery was denied.
The presumption now contained in Recital 43 of the GDPR is that where consent is a condition of provision of services, that consent will not be freely given. Further, consent will not be freely given if a detriment is suffered when consent is subsequently withdrawn. The ICO has voiced a view that organisations may seek to incentivise consent to marketing by offering added benefits in exchange for obtaining such consent so that no detriment is suffered if in future that consent is withdrawn.
However organisations ought to be careful when relying on consent as a basis for marketing as the onus will be on the organisation to prove consent was valid if it is ever challenged. There are other possible lawful bases to process personal data for marketing and organisations are well advised to review their policies to ensure they do not unnecessarily expose themselves to risk.
Same standard of Consent as GDPR
On the facts of the Planet 49 case, it was accepted that the storage of cookies did amount to processing of personal data, triggering the need for Planet49 to comply not only with the e-Privacy Regulation but also the Data Protective Directive.
The CJEU was asked to consider whether the question of consent is to be treated differently depending on whether the cookies contained personal data. The CJEU found that the same interpretation for obligations under the e-Privacy Regulation applied regardless of whether the cookies comprise personal data.
Cookies are small text files which are stored on devices by website browsers.
Fairness and Transparency in Provision of Information
The CJEU also determined that part of the clear and comprehensive information which must be provided to the user in accordance with the Data Protection Directive, included information as to the duration of the operation of the cookies and whether or not third parties will access the cookies.
The Court observed that the provision of such information ought to put a user in a position to determine the consequences of any consent given to ensure that the consent is informed (Para 74). It also commented that the type of information listed in the Directive to be provided is not exhaustive and may include ‘such further information as is necessary’ to guarantee fairness and transparency of processing.
It is understandable that in drawing this conclusion the CJEU had regard to the successor legislation, the GDPR, which clearly includes a requirement to inform as to duration of processing
The Planet49 decision is not surprising given the concept for valid consent, which is now clarified under the GDPR, expressly excludes use of pre-ticked boxes as evidence of such consent.
However, the decision does indicate that regardless of whether the GDPR applies in a given case, organisations will need to comply with the same high standard of consent and include clear and comprehensive information (including duration and identity of third parties accessing) before storing and accessing cookies on a device.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.
Read, listen and watch our latest insights
- 08 December 2023
UK Hospitality – Right to Work
The UK’s hospitality sector is strongly impacted by immigration rules and policies post-Brexit.
- 04 December 2023
- Commercial Real Estate
Real Estate update and 2024 expectations
The ECC confers rights on code operators to install and maintain electronic communications apparatus on public land, and even grants operators the right to sometimes apply to court for an order allowing them to install and maintain such apparatus on private land.
- 29 November 2023
How will the Autumn Statement 2023 affect the Construction Industry?
On 22 November 2023 Parliament was presented with the Chancellor’s Autumn Statement.
- 29 November 2023
- Public Procurement
Public Procurement Annual Update 2023
Watch Clarkslegal’s Public Procurement team as they provide you with the essential information businesses involved in public tenders need to know.
- 28 November 2023
The risk of insolvency with equal pay claims: how can you avoid them?
Even though the law states that everyone should be paid equally for work of comparable value, this does not always happen in practice.
- 21 November 2023
- Privacy and Data Protection
Privacy matters: How the 8 data subject rights protect personal data
In this guide we explore the 8 data subject rights under the UK GDPR and discover how they play a vital role in preserving your organisation’s privacy standards in an increasingly interconnected world.