Cookie Consent – What Can Be Learned From The Planet49 Case?

A recent decision of the German courts serves as a useful reminder to businesses of the importance of ensuring that their cookie consent mechanisms are legally compliant. Failure to do so could mean that any consent obtained is invalid under both data protection and e-Privacy laws. In a worst-case scenario, this could result in significant fines, in addition to reputational damage.

WHAT WAS THE PLANET49 CASE ABOUT?

The case involved an action brought by a German consumer group against an online gaming company, Planet49 GmbH. Planet49 had set up a promotional lottery on its website. Before website users could participate in the lottery, they were required to provide certain personal data to Planet49 (essentially names and addresses) and deal with two checkboxes relating to the collection and use of their personal data.

One of the checkboxes (and the accompanying text) related to the placing of cookies on website users’ devices. The checkbox had been pre-ticked, which meant that website users had to untick the box if they did not agree Planet49’s use of cookies. The text that accompanied the checkbox contained various information about the cookies Planet49 would set, but that information did not include details concerning the duration of the cookies or third parties who might have access to them.

WHAT DID THE COURT DECIDE?

Because of the timing of the alleged breaches by Planet49, the court had to consider the validity of consent under both the pre-GDPR and GDPR regime. It ruled that valid consent to its use of cookies had not been obtained by Planet49 under either regime. Essentially, this was because:

•  where e-Privacy law requires that consent is obtained to the placing of cookies, the standard of consent is the same as that applicable under data protection law;
• this meant that consent needed to be demonstrated either by a clear statement or an unambiguous, positive action on the part of a website user. Amongst other things, consent also needed to be informed. Use of a pre-ticked box did not meet either requirement since (i) there was no active behaviour by the website user and (ii) it was impossible to objectively determine whether a website user had actually given his or her consent or whether that consent had been informed;
• the wording used in e-Privacy law meant that the same standard of consent applied, irrespective of whether the information being accessed or obtained via the use of cookies constituted personal data; and
• Planet49 had not fully met its information obligations since it had failed to provide website users with information about the duration of each of the cookies or third-party access to them.

WHAT LESSONS NEED TO BE LEARNED?

• Unless the cookies you wish to use fall under one of the narrow exemptions set out in e-Privacy law, you need to obtain the consent of your website users if you plan to use cookies;

• The standard of consent you must achieve is the same as that which applies under data protection law (i.e. the GDPR);

• Pre-ticked boxes should not be used, as such a mechanism will not satisfy the requirement for positive, unambiguous action. It also won’t enable you to demonstrate that consent has been informed. In addition, the explanatory text to the GDPR specifically states that the various requirements for valid consent mean that ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’;

• Although the point wasn’t dealt with in the Planet49 decision, you also shouldn’t infer consent from a website user’s continued scrolling or use of your website. Again, this won’t satisfy the requirement for consent to be unambiguous. Also, it’s unlikely that consent would be informed in this sort of scenario;

• You will still need to meet the GDPR standard for consent even if the information your cookies (or similar technology) will access and collect does not constitute personal data;

• In order to satisfy both the requirements for informed consent and the requirements relating to the provision of privacy information under the GDPR, the information you provide to website users should meet the requirements of Article 13 of the GDPR. This includes information about the duration of each of the cookies you plan to use and whether or not third-parties will have access to them.

If you’d like help evaluating whether your use of cookies complies with e-Privacy and data protection law, please do not hesitate to contact a member of our Information Law Team.