October started off energetically in terms of data protection when the Court of Justice of the European Union delivered a long-awaited decision on using cookies in the so-called Planet 49 case.
The court came into two clear conclusions. Firstly, it considered that a pre-ticked consent is not validly given and secondly, the consent for cookies must fulfill the requirements of the GDPR. In other words, the consent required from the user needs to be freely given, specific, informed and an unambiguous indication of the data subject’s agreement to the processing of his/her personal data.
The court considered that a consent requires the user’s active measures and that a consent given with a pre-ticked box is not an active measure by the user. In addition, it ruled that an active consent is required for all the data stored on the terminal device whether or not it is personal data. The court also stated that the service provider needs to inform the users of the website on how long the cookies stored on the terminal device work and if third parties have a possibility of using the cookies.
The Planet 49 decision can have substantial effects since the precedents of the Court of Justice of the European Union are primarily applicable law in relation to national legislation. In addition, the ePrivacy directive has been implemented in national legislations in slightly different ways. Consequently, the decision at hand may require the national authorities to change their current guidelines on cookies. Traficom, which supervises the confidentiality of electronic communications in Finland, has instructed on how the consent regarding cookies may be given. So far Traficom has considered that the user may validly give their consent on the terminal device’s browser settings and thus a separate so-called cookie banner hasn’t been needed in Finland. In the browser settings, the consent has typically been given as a default setting and if the user wants to prohibit the user of cookies, he/she must separately change the browser settings by removing the cookies. Therefore, it is questionable whether a consent given in the browser settings meets the requirement of an active consent of the Court of Justice of the European Union.