The Planet49 Case
The Planet49 case concerned a German company which organised a promotional lottery on its website.
Internet users wishing to take part in Planet49’s lottery were required to enter their postcodes, which redirected them to a web page where they were required to enter their names and addresses. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first body of text with a checkbox was a preselected tick and read invited the visitor to tick to receive third party advertising.
The second set of text with a pre-ticked checkbox allowed Planet49 to set cookies which tracked the users’ behaviour online. Associated with this second set of text was a hyperlink setting out the cookies that would be used and some instructions about how they could be deleted.
Questions before the court included; whether a pre-ticked box constituted valid consent, whether there was a requirement for personal data for cookie law to apply; what valid consent looks like and what the information that should be given to a consumer (specifically whether this includes duration of a cookie).
The findings of the Court can be summarised as follows:
- The GDPR standard for consent applies where consent to set cookies is required. This means that consent cannot be implied and must be freely given, specific, informed and unambiguous.
- A pre-ticked box does not constitute valid consent for cookies.
- It is irrelevant whether the cookie is collecting personal data or not and the provisions of the e-Privacy Directive apply to all cookies regardless of whether personal data is involved.
- The information given to a user should include duration of the operation of cookies and if third parties may have access to those cookies.
The ICO Guidelines
None of what the CJEU said in the Planet49 case will be much of a surprise to anyone who has read the ICO’s most recent guidelines on cookies and related technologies which can be found here.
In practice this means that you must now ensure that when placing cookies, express consent is sought, in advance (i.e. before cookies are set) as well as providing users with clear and detailed information about the cookies so that informed consent can be obtained. Gone therefore are pre-ticked boxes and pop up banners which say things like, “By continuing to browse you consent to us setting cookies”
The requirement to obtain consent only applies to non-essential cookies and is therefore not applicable to essential cookies which for example relate to user authentication or input, security, streaming content or network preferences but would apply to non-essential cookies such as social media plug-ins or cookies used for the purposes of online advertising or cross-device tracking. Where the cookie has more than one purpose, then consent will also be required where at least one of those purposes is non-essential.
- Ensure that you obtain consent by the user carrying out a positive act such as ticking a box. No pre-ticked boxes or implied consents!
- If using banners / pop-ups or message bars it will be important to consider the implications for a user accessing the website from different devices – what works on a laptop may not be visible or accessible from a mobile device.
- Use of the words “Agree” or “Allow” in font or type that is more prominent than “Reject” or “Block” represents a non-compliant approach, as you will be influencing users towards the “accept” option.
- It is important at all times for users to fully understand: what you are using cookies for, how you have gone about seeking their consent, how you (and any third party) intends to use their data and that you have provided them with appropriate control over their preferences.
The ICO has made it clear that non-compliance will lead to formal action being taken. However, it is also unlikely that priority for formal action will be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything that you can to clearly inform users about the cookies and provide clear direction as to their choices in relation to these cookies.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.