A recent decision of the German courts serves as a useful reminder to businesses of the importance of ensuring that their cookie consent mechanisms are legally compliant. Failure to do so could mean that any consent obtained is invalid under both data protection and e-Privacy laws. In a worst-case scenario, this could result in significant fines, in addition to reputational damage.
What was the Planet49 case about?
The case involved an action brought by a German consumer group against an online gaming company, Planet49 GmbH. Planet49 had set up a promotional lottery on its website. Before website users could participate in the lottery, they were required to provide certain personal data to Planet49 (essentially names and addresses) and deal with two checkboxes relating to the collection and use of their personal data.
What did the court decide?
where e-Privacy law requires that consent is obtained to the placing of cookies, the standard of consent is the same as that applicable under data protection law;
- this meant that consent needed to be demonstrated either by a clear statement or an unambiguous, positive action on the part of a website user. Amongst other things, consent also needed to be informed. Use of a pre-ticked box did not meet either requirement since (i) there was no active behaviour by the website user and (ii) it was impossible to objectively determine whether a website user had actually given his or her consent or whether that consent had been informed;
- Planet49 had not fully met its information obligations since it had failed to provide website users with information about the duration of each of the cookies or third-party access to them.
What lessons need to be learned?
- The standard of consent you must achieve is the same as that which applies under data protection law (i.e. the GDPR);
- Pre-ticked boxes should not be used, as such a mechanism will not satisfy the requirement for positive, unambiguous action. It also won’t enable you to demonstrate that consent has been informed. In addition, the explanatory text to the GDPR specifically states that the various requirements for valid consent mean that ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’;
- Although the point wasn’t dealt with in the Planet49 decision, you also shouldn’t infer consent from a website user’s continued scrolling or use of your website. Again, this won’t satisfy the requirement for consent to be unambiguous. Also, it’s unlikely that consent would be informed in this sort of scenario;
- You will still need to meet the GDPR standard for consent even if the information your cookies (or similar technology) will access and collect does not constitute personal data;
- In order to satisfy both the requirements for informed consent and the requirements relating to the provision of privacy information under the GDPR, the information you provide to website users should meet the requirements of Article 13 of the GDPR. This includes information about the duration of each of the cookies you plan to use and whether or not third-parties will have access to them.
RELATED: BRITISH AIRWAYS FACES £183M FINE FOR DATA BREACHEXPERTISE - GDPR