PART 3 - New Guidance on Data Privacy - Have you really obtained consent to cookies?
While we wait for the final draft of the new e-Privacy Regulation which will yet again tighten the rules on data privacy in an online context.
Part 1 of this 3-part series looked at existing laws around what a cookie is and when they can be used, and Part 2 looked at the future for the rules with the new draft E-Privacy Regulation. The third and final part of this 3-part series will look to the Court of Justice of the European Union (CJEU) for guidance on cookie practice, with the Attorney General’s recent opinion on consent to cookies especially when personal data is concerned.
The Case: Consenting to Cookies
Upon accessing the website users would be asked to input their personal details and would then be taken to a screen alerting them to the cookies used on the site, should they proceed. There were two tick boxes: the first one asked users to agree to promotional partners storing and using their personal data to advertise to them and appeared un-ticked. The second box asked users to enable cookies for targeted advertising and appeared already ticked. It was necessary for users to agree to the first box as a minimum, for them to proceed.
Germany’s authority in charge of consumer law felt that this practice did not properly obtain consent, while Planet49 argued that it had complied with EU law.
The Advocate General reviewed the applicable EU law- Directive 95/46 on the processing of personal data, Directive 2002/58/EC on the processing of personal data and privacy in electronic communications, Directive 2009/136/EC on user’s rights relating to electronic communications, and the GDPR- as well as German civil law.
These laws have now strongly established that consent is required both for processing personal data and for accepting cookies. Users must be informed on the legitimate purposes of these practices and should always have the opportunity to reject them.
Their consent must be freely given, specific, informed and unambiguous. The Advocate General also noted that under German law, provisions of business terms should not unreasonably disadvantage one party, and marketing should not be an “unacceptable nuisance”.
The Preliminary Opinion
When is consent, consent?
The Attorney General does not consider that the requirements for consent were fulfilled by Planet49, and notes that it makes no difference whether the cookies in question concern personal data or not.
The first un-ticked box about promotional partners’ adverts which was required for users to proceed on the website, whilst fulfilling the requirement for active consent since users were required to tick the box, failed since the consent was not separate.
Users should be able to withhold consent, and this should not affect their journey on the site.
The Attorney General suggested that rather merely than a box to be ticked, this question would be better asked in an entirely separate way, unrelated to users’ journey in the promotional lottery.
The second pre-ticked box, asking for consent to cookies, also did not meet the standard requirements. Consent needs to be manifested in an active manner, and it is not enough for a user’s declaration of consent to be pre-formulated in any way. There is nothing to prove that the user has understood the information; they may have just left the box ticked and not read the notice.
Planet49 argued that by inputting their personal details on the first page, users actively consented, and the second page dealing with consent to cookies gave users the opportunity to revoke this consent. The Attorney General disagrees. Consent must be freely given, informed, active, and separate.
Participation in the online lottery and the giving of consent for cookies could not be part of the same act.
What information is required?
The Attorney General pointed out that the average internet user does not have a high understanding on the operation of cookies and cannot be expected to.
Therefore, clear and comprehensive information that will put a user in a position where they can determine the consequences of any consent that they might give is required. To him, this includes the duration of time that cookies will be stored for, and whether any third parties will have access to them.
While opinions from the Attorney General are not binding, they are generally a good indication of how the CJEU will rule on a case. We await the CJEU’s opinion on whether consent can indeed be a condition of a service.
For any specific advice on your cookies policy and and for a legal audit of your website’s compliance, please don’t hesitate to get in touch!
Author: Lily Morrison, Legal Consultant @ Gerrish Legal, June 2019.