A few days ago, the European Court of Justice handed down its judgment in the “Planet49” case. This ruling had been eagerly awaited in the hope that the ECJ would seize this opportunity to provide more legal clarity to the online marketing industry. However, this expectation was only met to some extent. Some important questions remain unanswered.
What was the Planet49 case about?
In September 2013, a company called Planet49 held a prize draw on the website “www.dein-macbook.de”. In order to take part, internet users first had to enter their postcode, which led them to a page asking them for their name and address. At the bottom, two notices with checkboxes were displayed. The first checkbox, which was not ticked by default, had the following prompt:
“I agree that some sponsors and cooperation partners may inform me – by post, telephone or email/SMS – about offers from their respective business areas. […]“
The second notice, whose checkbox was provided with a pre-ticked checkmark, was as follows:
“I agree that the web analytics service Remintrex is used. The organizer of the prize draw, [Planet49], may set cookies after registration for the competition, which allows Planet49 to evaluate my surfing and usage behavior on websites of advertising partners to allow interest-based advertising by Remintrex. I can delete the cookies at any time. Read more [in the linked privacy statement].”
Participation in the competition was only possible if at least the first checkbox was selected.
The German Federal Association of Consumer Protection Agencies (Bundesverband der Verbraucherschutzzentralen) then sued Planet49 before the Regional Court of Frankfurt am Main to essentially stop Planet49 seeking consent in this way. The Regional Court sentenced Planet40 accordingly, while the second-instance Higher Regional Court of Frankfurt dismissed the lawsuit.
The Federal Court of Justice, upon appeal from the Bundesverband der Verbraucherschutzzentralen, had its doubts as to whether the consent obtained by Planet49 through the second checkbox was valid. It therefore referred a number of questions to the European Court of Justice for a so-called preliminary ruling:
Which questions were referred to the European Court of Justice?
The Federal Court of Justice asked the European Court of Justice the following questions (adapted for clarity):
- Does it constitute valid consent if the storage of or access to information on the user’s device is given by a default checkbox which the user mustdeselect to refuse consent?
- Does it make a difference whether the information stored or retrieved is personal or anonymous data?
- In the circumstances referred to in question 1, does this constitute effective consent under the General Data Protection Regulation?
- What information must a website operator provide to users to be allowed to set cookies? Does this also include the duration of the cookies and whether third parties can access the cookies?
What did the European Court of Justice decide?
The European Court of Justice ruled as follows:
- It does not constitute valid consent under the relevant EU directives if the storage of and access to cookies is requested through a preset checkbox, which the user must deselect to refuse consent.
- It does not matter whether the information stored or retrieved in the user’s terminal device constitutes personal data or not.
- According to the ePrivacy Directive, a website operator must provide information about the duration of the cookies and whether third parties have access to the cookies.
What does this mean in practice?
The judgment did not come as a surprise to industry insiders: Whoever uses cookies now requires “active” consent. An opt-out solution is no longer sufficient. The wording that is still so popular today, “if you continue using this site, you agree to the processing of your data” is no longer permissible. Such implied consent is invalid.
This applies – and this is a little surprising – both to cookies containing personal data and to cookies containing anonymous information.
What was not decided by the European Court of Justice? In other words: Will I always require consent for using cookies?
A special aspect of these proceedings before the European Court of Justice is that the ECJ only needs to answer the questions put before it by the national court (in this case the German Federal Court of Justice). Therefore, the ECJ had no reason to comment on other important questions relevant to the online industry. In particular, the ECJ has not clarified
- whether the setting of cookies could be justified by other legal bases, for example through legitimate interests (art. 6(1)(f) GDPR),
- who acts as a controller under data protection law for setting a third-party cookie,
- which cookies count as “necessary” and therefore require no separate consent (art. 5(3) ePrivacy Directive).
- It is also not clear whether users must actively consent to individual online marketing service providers or at least groups of service provider (categories, for example “online marketing”). This question obvioulsy has far-reaching consequences: naming all service providers involved in the online marketing ecosystem would be practically impossible.
Are there “consent-free” cookies?
According to art. 5(3) of the ePrivacy Directive (also known as the “Cookie Directive”), there are still cookies that are “absolutely necessary” and therefore do not require consent. However, neither the Directive nor the ECJ ruling give a clear definition for when exactly a cookie is “absolutely necessary”. However, at least the following cookies should belong in this category: Shopping cart cookies, login cookies, and language selection cookies. Of course, these cookies must also be explained in the privacy policy. This includes information on the function duration of the cookies and on whether third parties have access to these cookies.
Much is still unclear here, even after the decision of the ECJ. However, marketing cookies or statistical cookies are generally not considered “necessary”. In such cases, informed consent must therefore be obtained before storing or accessing the user’s data.
Must all service providers be mentioned in the privacy policy – or are groups (categories) sufficient?
We often see the problem that an unmanageable number of service providers (third parties) are involved in programmatic advertising. It is hardly possible to name all these service providers individually, in some cases they are not even known by name. Is it therefore possible, for reasons of simplification, to form “groups” to solve this problem (for example, by specifying “retargeting provider”)?
The ECJ has also left this important question unanswered. The data protection authority of the German state of Baden-Württemberg recently published the following position in this regard:
“The consent prompt […] shall describe the processing operation clearly and unambiguously. Users must be able to easily understand what they agree to. A mere reference to ‘this site uses cookies to enhance your browsing experience’ or ‘for web analysis and promotional purposes’ is not sufficient, but rather misleading, because the associated processing activitiy is not made transparent. Consent does not have to be obtained for the use of cookies as such, but for the collection and disclosure of personal data. In particular, it must be listed precisely and comprehensibly to which individual third parties data are transferred, or which third parties collect or receive data and for what exact purpose. If third parties pursue their own purposes, these must also be described. This information shall be presented clearly and unambiguously and shall not be obscured, including by the heading. Users must agree actively and voluntarily […], consent must not be pre-selected. Opt-out or pre-checked boxes are not sufficient (‘privacy by design’ and ‘privacy by default’).”
But the position also states – and that is significant (emphasis added):
“The individual recipients should be selectable individually or by category.”
This means that it should also be possible to name the recipients (only) in categories. This is also in line with art. 13(1)(e) GDPR, which also stipulates that “the recipients or categories of recipients of the personal data” must be named. It therefore remains to be seen whether the ECJ will confirm this view in future proceedings.
By the way, the English data protection authority ICO takes a much more critical view of these questions. The same applies to the French supervisory authority CNIL. It is therefore all the more important that clarity is finally achieved here as soon as possible.
What is the next step?
Several weeks ago, the German Federal Ministry for Economic Affairs announced an amendment to the German Telemedia Act in order to react to the “Planet49” ruling. It remains to be seen what happens here. At the same time, the legal dispute is now referred back from the ECJ to the Federal Supreme Court, which must then issue a final decision on the specific case.
What must be done now?
- Web site operators who currently offer an “opt-out” for cookies, i.e. by using preset checkboxes or similar, must change this practice.
- Website operators who do not use a consensus banner but still rely on sec. 15(3) of the German Telemedia Act (TMG) and art. 6(1)(f) GDPR are taking a considerable legal risk. Nevertheless, some consider this acceptable as long as the existing statutory situation does not change.
- In the opinion of the European Court of Justice, setting cookies based on user consent requires express consent, i.e. ticking a box, clicking a button, or a toggle switch.
- The simple “continued use” after a notice or a pre-set consent is no longer sufficient in these cases.
- Consent must be obtained before cookies are set! The cookie may therefore only be set after consent has been obtained. This is also in line with the view of the German supervisory authorities, which had already expressed their their view earlier this year in a guidance document for telemedia providers.
- In addition, cookie policies and privacy statements must be expanded in accordance with the requirements of the European Court of Justice. In particular, this includes information on the duration of the cookies and whether third parties have access to them. It seems reasonable to us to rely on naming groups for this purpose. However, this question has not been settled yet.