Introduction

The General Data Protection Regulation (hereinafter: GDPR) is comprised of 99 Articles and 173 Recitals. With its entry into force, the issues of data processing became highly prominent. As many internet users are consumers, we would like to highlight the judgement of the Court of Justice of the European Union (hereinafter: CJEU or the Court of Justice) C–673/17 from 1^st of October 2019. It explains the notion of “informed consent” and what kind of requirements are needed for it.

Background of the case

Company Planet49 organized a promotional lottery where participants were asked, among others, to enter their names and addresses. Beneath the input fields for the address were two bodies of explanatory text accompanied by checkboxes. The first body of text was with a checkbox without a preselected tick, while the second checkbox contained a preselected tick. The latter checkbox intended to convey the internet users consent to installing cookies by Planet49, which would track their internet surfing and use such information for advertising that is based on interests of participants.

Does a pre–ticked checkbox fulfill requirements for informed consent?

In this question, court agreed with the Advocate General who took a stand that consent referred to in Article 2(f) and in Article 5(3) of Directive 2002/58 cannot be validly obtained by way of a pre–ticked checkbox where the user has to deselect to refuse his or her consent. To support this conclusion, the Court of Justice referred to the requirement of “indication” of the data subject’s wishes clearly points to active, rather than passive, behavior. Stating this, the Court of Justice took the view that a consent given in the form of a preselected tick in a checkbox does not imply active behavior on the part of a website user.

Importantly, the Court of Justice did not elaborate the issue that the consent must be freely given, arguing that a corresponding question had not been asked by the referring court.

Does it make a difference whether the information stored or accessed constitutes personal data?

As regards this question, the Court of Justice responded with a clear no. The Court of Justice took the standing that Article 5 (3) of Directive 2002/58 aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data. Such interpretation is borne out by recital 24 of Directive 2002/58, according to which any information stored in the terminal equipment of users of electronic communications networks are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. That protection applies to any information stored in such terminal equipment, regardless of whether or not it is personal data, and is intended, in particular, as is clear from that recital, to protect users from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

Which information shall be proved to the user before obtaining his or her consent?

Regards the scope of information, the Court of Justice opted for a broad reading of Article 5(3) of Directive 2002/58 in conjunction of Article 10(c) of Directive 95/46 and Article 13(1)(e) of the GDPR. The Court of Justice again sided with Advocate General, who stated that clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.

The Court of Justice considered that information on both the duration of the operation of cookies and whether or not third parties may have access to them had to be provided to the user.

Are there any necessary actions that shall be taken?

All website operators who use cookies with the opt–out option have to review this practice. The Court of Justice clearly confirmed that the standard of “cookies protection” does not depend on whether or not user’s personal data is actually involved. Besides that, the Court of Justice took the stand that “Cookie stuffing” requires consent that is explicit. For the future this means that surfing on despite notification or pre–set consent will no longer suffice in these cases.

In addition to all, we suggest that privacy statements and cookie policies should be reviewed to ensure that all information, that the Court of Justice considered necessary, are fully reflected. This means that it shall be included the information on the duration of the operation of cookies and whether or not third parties may have access to those cookies. 

Prepared by

Leonardo Rok Lampret