The Planet49 decision: Implications for organisations that use cookies

On 1 October 2019, the Court of Justice of the European Union (the “CJEU”) delivered a significant preliminary ruling in the Planet49 case with regards to cookies and consent under the General Data Protection Regulation 2016/679 (“GDPR”). In the wake of the decision and recent guidance, businesses should be aware that the requirements of cookie consent have evolved considerably in the past few months. 

Pre-checked boxes and statements on privacy policies which relate to user's “passive consent” given through continued use of a website are now highly unlikely to constitute valid consent under EU law. Consent must also be "granular“ - in that consent for one type of processing (for instance - making an online purchase) cannot be automatically inferred as consent for another kind of purchase (such as sharing the information with a third party). 

Businesses (particularly those that rely on cookies to provide analytical services and advertising) should review and update their privacy and cookies policies to:

(i) include clear and comprehensive information in relation to cookies (including their duration and any sharing with third parties); and

(ii) ensure that they are fully aligned with the standards for consent set out in GDPR and subsequent regulatory guidance and case law.

Planet49: The Facts

Planet49 established an online lottery that required users to provide personal information to enter. In order to play the lottery, users had to tick two checkboxes. It was not possible to play the lottery without clicking the first checkbox and the second checkbox was pre-checked. The first box allowed Planet49 to share user data with third parties. The second pre-checked checkbox indicated consent to cookies being placed on the user’s device.

The Ruling

The CJEU ruled that consent to the storage of, or access to, information on a website user's equipment cannot be validly obtained through the use of a pre-checked box. This applies whether the requirement for consent to cookies in the E-Privacy Directive (2002/58/EC) is read in conjunction with GDPR or the Data Protection Directive (95/46/EC). 

If consent is pre-determined, a user is not providing active consent, as it would be “impossible" to ascertain whether, by not deselecting a pre-ticked box, a user had provided active consent. The CJEU reiterated that consent must be "specific" and that selecting a button to participate in a lottery is insufficient to conclude that a user has also consented to the storage of cookies.

The requirement for consent to store or access information on a website user's equipment is unaffected by whether or not such information is personal data. The E-Privacy Directive refers to "storing of information, or the gaining of access to information already stored" and aims to protect users from interference with their private sphere regardless of whether or not that interference involves personal data. 

"Clear and comprehensive information" within the meaning of the E-Privacy Directive includes the duration of the cookies and whether third parties have access to them. 

Context of the decision

The decision of the CJEU reflects the Advocate General’s Opinion delivered on 21 March 2019 and provides further confirmation that the consent requirement in relation to cookies is now the higher standard of consent, as defined in GDPR.

The decision also follows opinions issued by the European Data Protection Board (March 2019), the Irish Data Protection Commissioner (June 2019) and the UK Information Commissioner’s Office (July 2019) which all concurred that the standard of consent required by GDPR must be freely given, specific and informed, and that there must be an indication signifying a user’s agreement, which is unambiguous and involves a clear affirmative action. 

The effect of the decision is that the ePrivacy Directive (2002/58/EC), as amended by Directive 2009/136/EC and the Irish ePrivacy Regulations of 2011, which govern the use of cookies (and similar technologies such as device fingerprinting and web beacons), must be read in conjunction with GDPR in terms of defining consent.