On October 1, 2019, the European Court of Justice (ECJ) delivered its judgment in Planet49 (C-673/17), holding that (1) website operators must obtain active opt-in consent to store or access cookies, (2) users must be informed about the retention period and the third party receiving the data, and (3) consent must be obtained regardless of whether the cookies contain personal data.

This ruling will likely prompt regulators to scrutinize cookie policies and consent mechanisms. Therefore, website operators and all parties involved in the adtech sphere should consider reviewing their notice and consent strategy for cookies to ensure that users receive sufficient information prior to consenting, and that cookies are not installed on an opt-out basis.

Background

To participate in an online promotional lottery organized by Planet49, prospective participants could fill out a form that contained two checkboxes—one unticked box to receive marketing communications, and one pre-ticked box to allow analytics as well as third-party advertising cookies. The form linked to a detailed notice discussing the cookies that would be placed and how they would be used. A German consumer organization brought a claim against Planet49 alleging, among other things, that the consent obtained was not valid under the ePrivacy Directive’s cookie rules as implemented in Germany. In 2017, Germany’s highest court posed the question to the ECJ.

Although commonly known as the “cookie” rules, the 2002 ePrivacy Directive (as amended) regulates any technology that involves storing or accessing information on an end-user’s terminal device. In March of 2019, Advocate General Szpunar advised the Court that valid consent (1) requires clear and comprehensive information, (2) cannot be obtained through the use of pre-ticked boxes, and (3) must be separate for different processing activities. Further, the Advocate General concluded that the consent requirements apply whether or not cookies constitute personal data (see our previous WSGR Data Advisor blog post).

Consent Must Be Actively Given

The ruling confirmed the AG’s opinion that consent by means of a pre-ticked box is not valid. The ECJ held that for a user to give his or her consent, an action is required, which aligns with the requirement for valid consent under the GDPR. A pre-ticked checkbox makes it “impossible in practice to ascertain objectively whether a website user had actually given his or her consent to the processing of his or her personal data,” and thus could not constitute valid consent.

The court further indicated that consent cannot be inferred from a visitor’s continued use of the website, or by scrolling down a webpage. Unfortunately, the ECJ declined to make a finding on what constitutes “freely given” consent as the German court did not specifically ask this question.

Users Must Be Informed of Cookie Duration and Third-Party Access to Cookies

The ECJ ruling also confirmed that the ePrivacy Directive’s requirement to provide “clear and comprehensive information” to users includes information regarding the lifespan of cookies and whether third parties can access such cookies.

The ECJ linked the duration of cookies to the requirement of fair data processing under the Data Protection Directive, noting that a large amount of information can be collected from users if cookies exist on a user’s device for a long period of time. This conclusion also expressly aligns the ePrivacy Directive with the right to be informed under the GDPR.

ePrivacy Directive Extends Beyond Personal Data

Although the Planet29 case involved cookies containing personal data, the ECJ decided that, under the ePrivacy Directive, consent must be obtained regardless of whether the cookies contain personal data. The court explained that the cookie rules aim to protect the user’s “private sphere,” and that any information stored in a user’s terminal equipment is part of that private sphere, regardless of whether it constitutes personal data.

Conclusion and Implications

The ruling clarifies the requirements of valid consent for cookies, and confirms that the scope of Article 5(3) of the ePrivacy Directive extends beyond personal data. However, this case also shows the limitations of preliminary references with several questions left open. For example, the court stopped short of deciding if consent was “freely given” when a user’s consent to process their personal data was required to participate in a promotional lottery.

After the Fashion ID case, the ICO cookie guidance, and the CNIL tracking guidance, this case is the latest in a series of developments that significantly impact all parties in the adtech sphere, and website publishers and adtech companies should now consider updating their cookie consent practices again.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will closely monitor developments related to adtech in Europe.

For more information, please contact Cédric Burton, Jan Dhont, Laura de Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm’s privacy and cybersecurity practice.