LOCATIONS
Bratislava | Slovakia

Office

Hviezdoslavovo námestie 13
811 02 Bratislava
Slovakia

+421 2 5929 1111

Map and directions

User consent for storing and accessing cookies in light of the recent decision of the Court of Justice of the European Union

October 2019 – On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a preliminary ruling in a case that made its way from the Federal Court of Justice in Germany (FCJ) regarding the validity of user consent systems for cookie data storage via pre-ticked checkboxes, and also on the amount of information that must be divulged to users prior to such consent being given (the “Ruling”).

According to the Ruling, the consent given by a website user to the storage of and access to cookies is not validly constituted by way of a pre-checked checkbox which the user must deselect to refuse granting such consent.

Further, the CJEU found, users should be presented with clear and complete information beforehand, which must, among other things, include information on the intended purposes of any data processing, cookie duration, and the ability of third-parties to access such cookies.

Prior court dispute and the reasoning behind the ultimate verdict

The case that reached the CJEU stemmed from a German court case connected to the use of cookies by Planet49 GmbH. This German company offered an online lottery that required users to input their names and addresses into its website. This site contained checkboxes for users to give consent to receive marketing materials and for the use of cookies. However, the checkbox for giving consent to the use of cookies was pre-checked, with users given the opportunity to uncheck this box and yet still partake in the online lottery.

In its Ruling, the CJEU stated that giving consent requires active consideration on the part of the user. Further, the CJEU noted that such consent must be specific, i.e. the fact that a user selects a button to participate in a promotional lottery does not sufficiently construe that the user validly gave their consent to the storage of cookies.

The Ruling primarily concerns the interpretation of the word “consent” and the requirements stipulated in the Privacy and Electronic Communications Directive 2002/58/EC (also known as the “ePrivacy Directive”). These rules are valid even in cases when cookies do not contain personal information within the meaning of the General Data Protection Regulation (“GDPR”). In the event that cookies contain information enabling the identification of a specific individual, additional GDPR requirements must be considered.

The German and Czech implementation of the ePrivacy Directive

The ePrivacy Directive requires a so-called “opt-in” consent for cookies – meaning a requirement for users to give their active consent to the storage and accessing of cookies (with the exception of certain types of cookies necessary for the functioning of a website and the provision of services that may be stored without consent). The “opt-in” consent system was introduced in an amendment to the ePrivacy Directive in 2009; the original version of the ePrivacy Directive implemented in 2002 contained a so-called “opt-out” system in relation to cookies – meaning the ability to store and access cookies is automatically granted unless the user specifically opts to refuse this.

The “opt-out” system for cookies was also adopted by the German and Czech legislatures in accordance with the original version of the ePrivacy Directive. Even after the amendment of the ePrivacy Directive (requiring “opt-in” consent for cookies) the former opt-out system was retained by both countries. This means that current Czech and German legislation does not reflect the “opt-in” consent requirement under the ePrivacy Directive.

On 25 May 2018, the Czech Data Protection Authority offered its view on the issue of cookie consent rules, finding that the valid giving of consent to the use of cookies merely required a browser setting on the part of the user which enables websites to store cookies. However, such an interpretation is at odds with a legal opinion previously issued by the Article 29 Data Protection Working Party (WP29), in which browser settings can only be regarded as representing a valid giving of consent in cases where the default setting of such a browser disabled the storage of cookies, meaning that in order to enable cookies a user must actively change such settings; additionally, only if users have been provided with clear and complete information prior to giving such consent. Inasmuch as the view of the Czech Data Protection Authority has been welcomed by a large segment of the Czech market, it cannot be considered as sustainable in the long-term.

Given that the “opt-out” system is something of an exception within the member states of the European Union due to its incompliance with the ePrivacy Directive, in cases with a trans-national character, it is advised that the stronger “opt-in” consent is sought.

Does the CJEU ruling represent a major development?

Despite the fact that the Ruling’s central findings are not a game changer in the EU context, and are not directly applicable to the Czech Republic due to the “opt-out” consent required by local laws, the Ruling can nonetheless be characterised as representing a debt on the part of the Czech Republic, incurred as a result of its incorrect transposition of the ePrivacy Directive into its national statute books.

As already noted, the Decision relates to a preliminary ruling submitted by the German Federal Court of Justice. Due to the fact that the German legislature also failed to adopt the “opt-in” consent requirement set forth by the ePrivacy Directive, the German Federal Court of Justice’s future rulings in this case will undoubtedly be of great interest, including with respect to how it might rule on the apparent conflict between German law and the ePrivacy Directive and the applicability of GDPR.

In its ruling, the Court of Justice of the European Union also noted that privacy protections addressed in the ePrivacy Directive apply to all data stored within an end user’s device, irrespective of whether these concern personal data or not, and are primarily designed to protect users against the risk of covert identifiers or other tools being used within the end-user devices. Indeed, such conduct could be deemed to represent unfair commercial practices by competition or consumer protection authorities – such as the Italian Competition Authority (ICA) penalising Facebook in 2018 with a EUR 10m fine for unfair commercial practices for using its subscribers’ data for commercial purposes.

The Ruling also underscores the need to provide full and complete information to users prior to their giving consent, including information on the operational duration cookies and the ability of third-parties to access cookies. Such information should be provided in a clear and plain language so as to enable users to fully understand the given consent. At present, information on the operational cookies is often missing from the texts of cookie consent forms.

The EU is currently debating adopting a new ePrivacy regulation to replace the current ePrivacy Directive, which will also address the current problem of conflicting laws in the Czech Republic and Germany.

For further information, please contact Zdeněk Kučera, Managing Associate & Co-head of firm-wide TMT practice, at , or Štepánka Havlíková, Junior Associate, at .