04 October 2019 #Data Protection
What are cookies?
Cookies are small text files which are stored on devices by website browsers. If a website has access to these cookies, it can identify the user of the device and use this information at a later time to track the user across the internet. Cookies are used primarily to assist with the functionality of a website (e.g. remembering products for on-line check outs) and to tailor any marketing to the individual user. Information which may be stored by cookies could include for example language preferences, time and length of visit, content of website viewed and advertisements accessed.
The Directive 2002/58/EC, commonly known as the e-Privacy Directive governs digital marketing and the protection of user’s privacy with electronic communications.
Article 5(3) of the e-Privacy Directive requires that the storing of or gaining access to cookies is allowed only on the condition that the user concerned has given their consent having been provided with ‘clear and comprehensive information’ about the purpose of the processing. Consent in this context bears the same meaning as consent under the predecessor of the General Data Protection Regulation (GDPR), the Data Protection Directive.
An exemption applies for cookies which are strictly necessary for the operation of the site.
If a profile is built from cookies on the particular device and is used with the intention of determining the identity of the user, that profile may comprise personal data. In other words, if a website operator seeks to use the cookies to identify a particular individual and to target advertising at them, compliance with the GDPR may also be necessary.
The Planet49 case
A hyperlink to the cookie checkbox contained a statement which included information about the use and purpose of the cookies but did not identify the duration of intended use or the identity of users of such cookies.
A German consumer group, the Federation of Consumer Organisations, Germany (‘Federation’) brought an action against Planet49 requiring it to cease using the checkboxes.
The Regional Court of Frankfurt am Main, Germany upheld in part the claim by the Federation and on hearing an appeal by Planet49, the German Federal Court of Justice referred certain questions concerning the interpretation of the e-Privacy Directive to the CJEU.
Consent by Active Behaviour
The CJEU considered the relevant law regarding consent, being Articles 2(h) and 7(a) of the Data Protection Directive. These provide that consent is ‘any freely given, specific and informed indication of his wishes by which the data subject signifies his agreement”, and such consent will be lawful if it is given ‘unambiguously’.
The Court determined that the requirement for the user to provide an ‘indication’ of wishes clearly points to the need for active rather than passive behaviour. (Para 52 of the CJEU judgment).
Further it would be impossible to ascertain objectively whether consent had been given or whether that consent was informed where a user did not de-select a pre-ticked check box (Para 55).
Consent therefore will not be validly given if the storage of and access to cookies is permitted by way of a pre-checked tick box which the user must then de-select (Paras 57 and 65).
The Court pointed out that the successor to the Data Protection Directive, the GDPR, expressly precludes silence or pre-ticked boxes as constituting consent.
Is Consent Freely Given?
It is interesting that the Court was not asked to consider whether the first checkbox used by Planet49, complied with the requirement that consent be freely given.
The first checkbox used by Planet49 required the user to provide its consent to use of personal data for marketing as a pre-condition to enter the lottery.
It is possible that in the context of the current data protection regime, consent would not have been found to be ‘freely given’; there was no genuine and real choice as without consent, permission to participate in the lottery was denied.
The presumption now contained in Recital 43 of the GDPR is that where consent is a condition of provision of services, that consent will not be freely given. Further, consent will not be freely given if a detriment is suffered when consent is subsequently withdrawn. The ICO has voiced a view that organisations may seek to incentivise consent to marketing by offering added benefits in exchange for obtaining such consent so that no detriment is suffered if in future that consent is withdrawn.
However organisations ought to be careful when relying on consent as a basis for marketing as the onus will be on the organisation to prove consent was valid if it is ever challenged. There are other possible lawful bases to process personal data for marketing and organisations are well advised to review their policies to ensure they do not unnecessarily expose themselves to risk.
Same standard of Consent as GDPR
On the facts of the Planet 49 case, it was accepted that the storage of cookies did amount to processing of personal data, triggering the need for Planet49 to comply not only with the e-Privacy Regulation but also the Data Protective Directive.
The CJEU was asked to consider whether the question of consent is to be treated differently depending on whether the cookies contained personal data. The CJEU found that the same interpretation for obligations under the e-Privacy Regulation applied regardless of whether the cookies comprise personal data.
Fairness and Transparency in Provision of Information
The CJEU also determined that part of the clear and comprehensive information which must be provided to the user in accordance with the Data Protection Directive, included information as to the duration of the operation of the cookies and whether or not third parties will access the cookies.
The Court observed that the provision of such information ought to put a user in a position to determine the consequences of any consent given to ensure that the consent is informed (Para 74). It also commented that the type of information listed in the Directive to be provided is not exhaustive and may include ‘such further information as is necessary’ to guarantee fairness and transparency of processing.
It is understandable that in drawing this conclusion the CJEU had regard to the successor legislation, the GDPR, which clearly includes a requirement to inform as to duration of processing
The Planet49 decision is not surprising given the concept for valid consent, which is now clarified under the GDPR, expressly excludes use of pre-ticked boxes as evidence of such consent.
However, the decision does indicate that regardless of whether the GDPR applies in a given case, organisations will need to comply with the same high standard of consent and include clear and comprehensive information (including duration and identity of third parties accessing) before storing and accessing cookies on a device.
Please contact Chrysilla de Vere, Head of our Privacy and Data Protection Team, if you would like us to assess whether your organisation is using cookies lawfully or to obtain guidance as to your direct marketing or data protection obligations.