MyFondia VirtualLawyer
October 14, 2019

Will the decision of the Court of Justice of the European Union renew cookie practices?

October started off energetically in terms of data protection when the Court of Justice of the European Union delivered a long-awaited decision on using cookies in the so-called Planet 49 case.

The court evaluated the cookie concept of Planet 49 GmbH, an organization which organizes lotteries online. The company asked for the consent of the participants for storing cookies with a pre-ticked box. Therefore, the participant should have unticked the pre-ticked box if they wanted to prohibit the use of cookies. The cookies were used to transmit personal data from the user’s terminal device to the sponsors and partners of the company.

Is the pre-ticked consent valid and does it fulfill the requirements of GDPR?

The court came into two clear conclusions. Firstly, it considered that a pre-ticked consent is not validly given and secondly, the consent for cookies must fulfill the requirements of the GDPR. In other words, the consent required from the user needs to be freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of his/her personal data.

A consent requires user's active measures

The court considered that a consent requires the user’s active measures and that a consent given with a pre-ticked box is not an active measure by the user. In addition, it ruled that an active consent is required for all the data stored on the terminal device whether or not it is personal data. The court also stated that the service provider needs to inform the users of the website on how long the cookies stored on the terminal device work and if third parties have a possibility of using the cookies.

Not all use of cookies require a consent

Despite the decision, it is good to keep in mind that all use of cookies does not require a consent. Such are for example cookies, that 1) have the sole purpose of transmitting messages on information networks and 2) which are absolutely necessary to the service provider in order to provide the service that the subscriber or user of the service has specifically requested for. Such cookies can be used as a part of services such as online banks and stores.

Does a consent given in the browser settings meet the requirements of a consent of the Court of Justice of the European Union?

The Planet 49 decision can have substantial effects since the precedents of the Court of Justice of the European Union are primarily applicable law in relation to national legislation. In addition, the ePrivacy directive has been implemented in national legislations in slightly different ways. Consequently, the decision at hand may require the national authorities to change their current guidelines on cookies. Traficom, which supervises the confidentiality of electronic communications in Finland, has instructed on how the consent regarding cookies may be given. So far Traficom has considered that the user may validly give their consent on the terminal device’s browser settings and thus a separate so-called cookie banner hasn’t been needed in Finland. In the browser settings, the consent has typically been given as a default setting and if the user wants to prohibit the user of cookies, he/she must separately change the browser settings by removing the cookies. Therefore, it is questionable whether a consent given in the browser settings meets the requirement of an active consent of the Court of Justice of the European Union.