On October 1, 2019 the Court of Justice of the EU issued its much awaited decision in the Planet 49 case. The case dealt with the participation in an online lottery and what the consent for that should look like, in view of online cookies / trackers deployed in the website where the lottery was held.
The decision raises some serious points for consideration by companies subject to GDPR and to the ePrivacy regime under the ePrivacy Directive and implementing state laws as follows:
Some information processed by cookies or online trackers is personal data, even if we don’t initially think so.
In this case, a number which is assigned to the registration data of that user, who must enter his or her name and address in the registration form for the lottery. By linking that number with that data, a connection between a person and the data stored by the cookies arises if the user uses the internet, such that the collection of that data by means of cookies is a form of processing of personal data.
A pre-checked check box is not sufficient consent for the placement of cookies or online trackers that deploy on a user’s terminal device.
This is because it is not inconceivable that a user would not have read the information accompanying the preselected checkbox, or even would not have noticed that checkbox, before continuing with his or her activity on the website visited
Consent must be indicated through an action, active behavior.
A pre-checked check box does not qualify, and by analogy, neither does the phrase “by continuing to use this website”.
You need active consent whether or not cookies collect personal data.
The expression of intention must be specific to the data processing.
The indication of the data subject’s wishes must be ‘specific’ in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.
The fact that a user activates the promotional game participation button is not sufficient to consider that the user has validly given his consent to the placement of cookies.
Collecting information through cookies or online tracker requires informed consent.
You may not gain access, through cookies or trackers, to information already stored in the terminal equipment of a user – unless the user concerned has given his or her consent, having been provided with clear and comprehensive information in regard to the purposes of the processing.
Cookie disclosure must be clearly understandable and detailed enough to allow the user to understand how cookies are used.
Cookie disclosure must include at least:
(i) identity of the controller;
(ii) the purposes of the processing;
(iii) the duration of operation of cookies and
(iv) the possibility or not for third parties to access these cookies.
The Court adds that clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.
There are those who think that with this statement the Court is imposing an open ended disclosure requirement which is broader than the requirements of Art. 13 of GDPR and harks back to the Art 10 Data protection directive formula for giving any additional information which may be necessary to guarantee fair processing in respect of the data subject.
As companies reshape their cookie and tracker consents, they should also think about how to operationalize the requirement under the California Consumer Privacy Act (CCPA) for “Do Not Sell My Information” in connection with online cookies and trackers and how much the EU ePrivacy cookies consent management solutions could be leveraged or repurposed to this end.