Cookie consent – What can be learned from the Planet49 case?

Derby Office Icon

A recent decision of the German courts serves as a useful reminder to businesses of the importance of ensuring that their cookie consent mechanisms are legally compliant. Failure to do so could mean that any consent obtained is invalid under both data protection and e-Privacy laws. In a worst-case scenario, this could result in significant fines, in addition to reputational damage.

What was the Planet49 case about?

The case involved an action brought by a German consumer group against an online gaming company, Planet49 GmbH. Planet49 had set up a promotional lottery on its website. Before website users could participate in the lottery, they were required to provide certain personal data to Planet49 (essentially names and addresses) and deal with two checkboxes relating to the collection and use of their personal data.

One of the checkboxes (and the accompanying text) related to the placing of cookies on website users’ devices. The checkbox had been pre-ticked, which meant that website users had to untick the box if they did not agree Planet49’s use of cookies. The text that accompanied the checkbox contained various information about the cookies Planet49 would set, but that information did not include details concerning the duration of the cookies or third parties who might have access to them.

What did the court decide?

Because of the timing of the alleged breaches by Planet49, the court had to consider the validity of consent under both the pre-GDPR and GDPR regime. It ruled that valid consent to its use of cookies had not been obtained by Planet49 under either regime. Essentially, this was because:

  • where e-Privacy law requires that consent is obtained to the placing of cookies, the standard of consent is the same as that applicable under data protection law;

  • this meant that consent needed to be demonstrated either by a clear statement or an unambiguous, positive action on the part of a website user. Amongst other things, consent also needed to be informed. Use of a pre-ticked box did not meet either requirement since (i) there was no active behaviour by the website user and (ii) it was impossible to objectively determine whether a website user had actually given his or her consent or whether that consent had been informed;

  • the wording used in e-Privacy law meant that the same standard of consent applied, irrespective of whether the information being accessed or obtained via the use of cookies constituted personal data; and

  • Planet49 had not fully met its information obligations since it had failed to provide website users with information about the duration of each of the cookies or third-party access to them.

What lessons need to be learned?

  • Unless the cookies you wish to use fall under one of the narrow exemptions set out in e-Privacy law, you need to obtain the consent of your website users if you plan to use cookies;

  • The standard of consent you must achieve is the same as that which applies under data protection law (i.e. the GDPR);

  • Pre-ticked boxes should not be used, as such a mechanism will not satisfy the requirement for positive, unambiguous action. It also won’t enable you to demonstrate that consent has been informed. In addition, the explanatory text to the GDPR specifically states that the various requirements for valid consent mean that ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’;

  • Although the point wasn’t dealt with in the Planet49 decision, you also shouldn’t infer consent from a website user’s continued scrolling or use of your website. Again, this won’t satisfy the requirement for consent to be unambiguous. Also, it’s unlikely that consent would be informed in this sort of scenario;

  • You will still need to meet the GDPR standard for consent even if the information your cookies (or similar technology) will access and collect does not constitute personal data;

  • In order to satisfy both the requirements for informed consent and the requirements relating to the provision of privacy information under the GDPR, the information you provide to website users should meet the requirements of Article 13 of the GDPR. This includes information about the duration of each of the cookies you plan to use and whether or not third-parties will have access to them.

If you’d like help evaluating whether your use of cookies complies with e-Privacy and data protection law, please do not hesitate to contact a member of our Information Law Team.

RELATED:   BRITISH AIRWAYS FACES £183M FINE FOR DATA BREACHEXPERTISE - GDPR


MORE FROM THE ADVICE CENTRE

News

Geldards maintains strong position in latest Chambers & Partners
10/10/2019
Geldards maintains its strong position in the has in the latest Chambers & Partners legal directory rankings and have again been recognised as a leading law firm in the annual guide to UK law firms.
more...

Events

Employment Law Update - 2019
01/01/2013
17th October 2019
Our autumn employment seminar will ensure you are up to date with developments in legislation and recent judgments in the constant evolution of employment law.
more...

Blogs

Thoughts from Europe - a MIPIM blog
19/03/2019
I am European, I feel European. Grinding my way around the major assembly that is the world at MIPIM, it’s such a reminder that even Europe is not the centre of most people’s universe.
more...

Publications

Salus – Wealth and Family Protection
02/10/2018
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

Content Contacts

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

PARTNER

Michelle Craven-Faulkner

MICHELLE CRAVEN-FAULKNER

Partner, Derby

+44 (0)1332 378 391
email
more...