Blog » THE COOKIE MONSTER STRIKES BACK – THE LATEST GDPR-RELATED DECISION OF THE EU COURT
THE COOKIE MONSTER STRIKES BACK – THE LATEST GDPR-RELATED DECISION OF THE EU COURT
30 October 2019
1. How Planet49 used cookies?
Planet49 is a German company who organized a promotional lottery on his webpage www.dein-macbook.de. For the visitor to take part in the lottery he had to provide certain personal data such as his name and address.
Below the input fields for the personal data two short explanatory text were placed accompanied by checkboxes. The first text declared that the visitor consents to receive commercial information from the sponsors and cooperation partners of Planet49. The checkbox appeared without a preselected tick.
The second text declared that the visitor consents that Planet49 sets cookies on his device, which enables Planet49 to evaluate the visitor’s surfing and use behaviour on websites. The checkbox next to the text contained a preselected tick.
2. How using cookies came before the CJEU?
The German Federation of Consumer Organisations („Federation”) sued Planet49 as in his opinion the practice of the company more precisely the consents requested by him do not comply with the German consumer protection laws.
The litigation between the Federation and Planet49 came even before the German high court who decided to start a preliminary ruling procedure before the CJEU.
In fact, the German high court was on the opinion that in order to make a decision in the case the it is necessary to interpret together the Directive on privacy and electronic communications and the GDPR (as well as his „predecessor”, the Data Protection Directive).
3. The questions before the CJEU
The CJEU need to answer the below questions:
- Is the consent validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s equipment is permitted by way of a pre-checked checkbox?
- When deciding about the validity of the consent does that make a difference whether the information stored or accessed (cookies) on the user’s equipment is considered personal data or not?
- Which information needs to be provided to the user so that the information can be regarded as clear and comprehensive?
4. The CJEU’s answers
In order to answer the above questions, the CJEU interpreted together the Directive on privacy and electronic communications and the GDPR (also the Data Protection Directive) and made the following conclusions:
- Given the fact that it appears from the above legal sources that the consent of the user shall be given by an active conduct, the consent given by way of a pre-checked checkbox cannot be considered as validly constituted.
- Since in accordance with the Directive on privacy and electronic communications consent is not only required in case of personal data, in order for the placement of cookies a valid consent is necessary also in the case if the information stored on the webpage user’s equipment are not considered as personal data.
- For the placement of cookies users shall be fully informed which means that they need to be informed about the duration of the storage of the cookies and the fact whether third parties can have access the cookies or not.
5. Lesson learnt
The most important lesson of the case is that the CJEU confirmed in the context of cookies that the „consent” given by way of a pre-checked checkbox cannot be considered as valid.
Further, it is significant that for the placement of the cookies the consent of the user is not only necessary when the cookie is considered as personal data but also if it is not personal data.
Finally, in case of cookies, the CJEU extended the minimum requirements of the prior notification to the storage period of the cookies and their accessibility by third parties.
Hungary: Steps Towards Differentiating Between Domestic and International Procedural Public Policy
Drawing a well-defined line of demarcation between domestic and international public policy when enforcing foreign arbitral awards sends a clear pro-arbitration message from national courts in any jurisdiction. Does Hungarian case law come close to this level of sophistication? This post analyses this question in the context of procedural public policy, and it does so based on two recent appellate court decisions rendered in the context of enforcement of arbitral awards in accordance with the New York Convention.Read more »
EU ISSUED NEW GDPR STANDARD CONTRACTUAL CLAUSES – WHEN AND HOW TO USE THEM?
During summer 2021, the European Commission published two new "standard contractual clauses" on data protection regulation, which can be applied on the one hand, to the legal relationship between data controllers and data processors covered by the GDPR , and to the transfers of personal data to third countries, on the other. In this article, we answer the questions: what these SCCs regulate, how do they differ from the previous SCCs and how can your company use the new SCCs?Read more »
CAN THE NON-COMPETITION AGREEMENT BE VALID WITHOUT A PRECISE COMPENSATION IN HUNGARY?
The non-compete agreement may provide protection of the legitimate economic interests of the employer even after the termination of employment relationship. However, the Hungarian Labour Code lays down strict requirements for the agreement. In our article we analyse a recent decision of the Supreme Court about the importance of the precise determination of the compensation, so you as an employer can conclude a valid non-compete agreement.Read more »