Cookie consent – What can be learned from the Planet49 case?

Derby Office Icon

A recent decision of the German courts serves as a useful reminder to businesses of the importance of ensuring that their cookie consent mechanisms are legally compliant. Failure to do so could mean that any consent obtained is invalid under both data protection and e-Privacy laws. In a worst-case scenario, this could result in significant fines, in addition to reputational damage.

What was the Planet49 case about?

The case involved an action brought by a German consumer group against an online gaming company, Planet49 GmbH. Planet49 had set up a promotional lottery on its website. Before website users could participate in the lottery, they were required to provide certain personal data to Planet49 (essentially names and addresses) and deal with two checkboxes relating to the collection and use of their personal data.

One of the checkboxes (and the accompanying text) related to the placing of cookies on website users’ devices. The checkbox had been pre-ticked, which meant that website users had to untick the box if they did not agree Planet49’s use of cookies. The text that accompanied the checkbox contained various information about the cookies Planet49 would set, but that information did not include details concerning the duration of the cookies or third parties who might have access to them.

What did the court decide?

Because of the timing of the alleged breaches by Planet49, the court had to consider the validity of consent under both the pre-GDPR and GDPR regime. It ruled that valid consent to its use of cookies had not been obtained by Planet49 under either regime. Essentially, this was because:

  • where e-Privacy law requires that consent is obtained to the placing of cookies, the standard of consent is the same as that applicable under data protection law;

  • this meant that consent needed to be demonstrated either by a clear statement or an unambiguous, positive action on the part of a website user. Amongst other things, consent also needed to be informed. Use of a pre-ticked box did not meet either requirement since (i) there was no active behaviour by the website user and (ii) it was impossible to objectively determine whether a website user had actually given his or her consent or whether that consent had been informed;

  • the wording used in e-Privacy law meant that the same standard of consent applied, irrespective of whether the information being accessed or obtained via the use of cookies constituted personal data; and

  • Planet49 had not fully met its information obligations since it had failed to provide website users with information about the duration of each of the cookies or third-party access to them.

What lessons need to be learned?

  • Unless the cookies you wish to use fall under one of the narrow exemptions set out in e-Privacy law, you need to obtain the consent of your website users if you plan to use cookies;

  • The standard of consent you must achieve is the same as that which applies under data protection law (i.e. the GDPR);

  • Pre-ticked boxes should not be used, as such a mechanism will not satisfy the requirement for positive, unambiguous action. It also won’t enable you to demonstrate that consent has been informed. In addition, the explanatory text to the GDPR specifically states that the various requirements for valid consent mean that ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’;

  • Although the point wasn’t dealt with in the Planet49 decision, you also shouldn’t infer consent from a website user’s continued scrolling or use of your website. Again, this won’t satisfy the requirement for consent to be unambiguous. Also, it’s unlikely that consent would be informed in this sort of scenario;

  • You will still need to meet the GDPR standard for consent even if the information your cookies (or similar technology) will access and collect does not constitute personal data;

  • In order to satisfy both the requirements for informed consent and the requirements relating to the provision of privacy information under the GDPR, the information you provide to website users should meet the requirements of Article 13 of the GDPR. This includes information about the duration of each of the cookies you plan to use and whether or not third-parties will have access to them.

If you’d like help evaluating whether your use of cookies complies with e-Privacy and data protection law, please do not hesitate to contact a member of our Information Law Team.

RELATED:   BRITISH AIRWAYS FACES £183M FINE FOR DATA BREACHEXPERTISE - GDPR


MORE FROM THE ADVICE CENTRE

News

Geldards commended in The Times 200 Best Law Firms 2020
25/11/2019
The Times 200 Best Law Firms has once again commended national law firm Geldards in the second edition of their list of best 200 law firms in the UK.
more...

Events

Network Derby Christmas Quiz 2019
01/06/2008
9th December 2019
Kick start the count down to Christmas with Network Derby's annual Christmas Quiz. This year, on Monday 9th December, we're heading back to Derbyshire County Cricket Club for our legendary quiz. Many regular attendees have been asking about our eagerly anticipated event.
more...

Blogs

Let’s keep our eyes on the prize
29/10/2019
It takes experience, wisdom and sometimes even a bit of courage to stand back from the frenetic day-to-day environment and see the bigger picture. That or turning off Twitter…We enter the autumn stretch of the year with typical weather, mixed reports about the state of the economy, patchy performance on the sporting field and what now appears to be routine chaos in politics.
more...

Publications

Salus – Wealth and Family Protection
02/10/2018
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

Content Contacts

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

PARTNER

Michelle Craven-Faulkner

MICHELLE CRAVEN-FAULKNER

Partner, Nottingham

+44 (0)1332 378 391
email
more...