On October 1st, in the much anticipated Planet49 case, the Court of Justice of the European Union (ECJ) affirmed an earlier opinion by the Advocate-General.

Utilizing pre-ticked boxes to obtain consent for website cookies does not represent valid cookie consent because it does not show affirmative, unambiguous action on the part of the data subject. 

The Court decided this with reference to GDPR, the ePrivacy Directive, and the GDPR’s predecessor, the Data Protection Directive, which was in force at the time of the issue.

Pre-Ticked Consent Boxes

The case, referred to the ECJ by the highest court in Germany, involved an online gaming company that offered website visitors the opportunity–after providing basic contact information–to enter an online lottery.

To do so, visitors were shown two checkboxes: (1) an unticked box requesting the individual to agree to receive third-party marketing messages and (2) a pre-ticked box requesting the user to consent to the placement on their browser of advertising cookies.

To enter the lottery, the third-party marketing checkbox had to be affirmatively ticked, whereas the advertising cookie checkbox did not have to be ticked–but had to be manually un-selected by the visitor to refuse her consent to such cookies.  

The Court analyzed Article 5(3) of the EU’s ePrivacy Directive, which requires that users have a GDPR-level of data subject consent prior to the storage and accessing of cookies on web browsers and other devices.

The ePrivacy Directive is separate from the requirement to then have a lawful basis for processing any personal data derived from those cookies, as is required by Article 6 of the GDPR.

Action is Required for Valid Cookie Consent

The ECJ found that because ePrivacy requires that a user must have “given his or her consent” for the storage or collection of cookies, this weighs in favor of a literal interpretation such that “action is required on the part of the user in order to give his or her consent.”

Other takeaways from the case include the ECJ confirming that the ePrivacy Directive’s consent requirements with respect to the storing or accessing of “information” apply irrespective of whether the information involved amounts to “personal data” as defined by the GDPR.

As well as the finding that for consent to be valid, website operators must transparently indicate the life span of each cookie and whether any third parties will have access to them.

Questions left unanswered by the decision include:

    • a formal opinion on the legality of so-called “cookie walls” that require consent to third party cookies as a pre-condition to general access to a website,
    • and an opinion as to whether a data subject can be required to consent to the processing of personal data for advertising purposes in order to participate in the promotional lottery.

The latter question, which the ECJ was not asked to rule on, could by extension have implications for online ad-funded content.

This case serves as a reminder that for consent to cookies to be valid in the EU, the data subject’s consent at issue must be active, rather than passive; unambiguous and not implied.

As would be the case by requiring individuals to be aware enough to un-tick a pre-ticked box; and specific, rather than bundled with other terms. Consent on the Internet Means Opt-In

Earn Valid Cookie Consent from Your Website Users

TrustArc’s best-in-class Cookie Consent Manager helps organizations of all industries and sizes satisfy their cookie compliance goals via its support for “zero-cookie” load experiences. 

Through the integration of your organization’s tag management system, or the use of our Consent Manager API, the placement of cookies or the firing of tags or trackers can be withheld until after a user affirmatively opts-in using the Consent Manager.