Support Centre

EU: CJEU judgment in Planet49 means cookie consent mechanisms depend on "industry and risk appetite"

Jade Wulfraat/

The Court of Justice of the European Union ('CJEU') issued, on 1 October 2019, its judgment in Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (C-673/17) ('the Judgment'). In particular, the Judgment addresses questions submitted by the German Federal Court of Justice on the validity of consent obtained as part of a lottery service organised by Planet49, an online gaming company, for which an internet user was presented with two checkboxes, of which one related to consent to direct marketing and the other, which was pre-ticked and became the focus of the Judgment, to consent to cookies being installed on the user's computer.

Claire François, Counsel at Hunton Andrews Kurth LLP, told OneTrust DataGuidance, "The CJEU recalled that consent to the use of cookies must result from users' active behaviour, and that the information to be provided to users must include the cookies' lifespan and whether or not third parties may have access to those cookies. However, the CJEU does not say how to provide such information and obtain cookie consent in practice. If it is clear that companies must implement a cookie consent mechanism and that users' active behaviour must result from a positive action, such as ticking a (non-pre-ticked) box, clicking on a button or an 'on' slider, [then] the design and implementation of [appropriate] cookie consent mechanisms are much debated. Obviously, there is no 'one-size-fits-all' approach: companies' consent mechanisms will depend on their industry and risk appetite."

The user must be in a position to assess the consequences of his or her consent

In addition, the Judgment upholds the Advocate General's opinion indicating the necessity for transparency under Articles 10 and 11 of the Data Protection Directive (Directive 95/46/EC) and Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which set out the obligation to provide clear and comprehensive information to data subjects.

Julia Schlösser-Rost and Fabian Seip, Senior Associate and Counsel at Hengeler Mueller respectively, explained, "The information must be sufficiently detailed to enable the user to understand how the cookies function. This requires the description of the implemented tracking method and the purpose for which the tracking data is used. The duration of the cookie and third party access are two examples for this. The user must be in a position to assess the consequences of his or her consent. […] Website providers may include the information in a linked page or 'cookie cockpit'. This would also enable the company that sets a tracking cookie to offer various levels of consent if an 'all or nothing' approach results in too few opt-ins."

Furthermore, the Judgment clarifies that the requirements of Article 5(3) of the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) for cookie consent apply regardless of whether the cookies would be used to collect not just personal data or 'information' in general, since the collected information becomes personal data when stored in terminal equipment which assigns users individual numbers which link to their registration data.

Schlösser-Rost and Seip commented, "Targeting audiences for [the] purposes of effective (high-value) advertising cookies now requires active, informed and specific consent, unless the use of a cookie is necessary for an internet service. This may result in websites hiding their content behind more or less complicated 'cookie walls' or less targeted advertising, which may result in a loss of advertising revenues, as well as in advertising that is less tailored to the interests of individual internet users. Log-in based models offered by social media sites that are sufficiently attractive, where users give broader consent during registration or in their user accounts, may be significantly less affected."

Amelia Williams Privacy Analyst