Blog » THE COOKIE MONSTER STRIKES BACK – THE LATEST GDPR-RELATED DECISION OF THE EU COURT
THE COOKIE MONSTER STRIKES BACK – THE LATEST GDPR-RELATED DECISION OF THE EU COURT
30 October 2019
1. How Planet49 used cookies?
Planet49 is a German company who organized a promotional lottery on his webpage www.dein-macbook.de. For the visitor to take part in the lottery he had to provide certain personal data such as his name and address.
Below the input fields for the personal data two short explanatory text were placed accompanied by checkboxes. The first text declared that the visitor consents to receive commercial information from the sponsors and cooperation partners of Planet49. The checkbox appeared without a preselected tick.
The second text declared that the visitor consents that Planet49 sets cookies on his device, which enables Planet49 to evaluate the visitor’s surfing and use behaviour on websites. The checkbox next to the text contained a preselected tick.
2. How using cookies came before the CJEU?
The German Federation of Consumer Organisations („Federation”) sued Planet49 as in his opinion the practice of the company more precisely the consents requested by him do not comply with the German consumer protection laws.
The litigation between the Federation and Planet49 came even before the German high court who decided to start a preliminary ruling procedure before the CJEU.
In fact, the German high court was on the opinion that in order to make a decision in the case the it is necessary to interpret together the Directive on privacy and electronic communications and the GDPR (as well as his „predecessor”, the Data Protection Directive).
3. The questions before the CJEU
The CJEU need to answer the below questions:
- Is the consent validly constituted if, in the form of cookies, the storage of information or access to information already stored in a website user’s equipment is permitted by way of a pre-checked checkbox?
- When deciding about the validity of the consent does that make a difference whether the information stored or accessed (cookies) on the user’s equipment is considered personal data or not?
- Which information needs to be provided to the user so that the information can be regarded as clear and comprehensive?
4. The CJEU’s answers
In order to answer the above questions, the CJEU interpreted together the Directive on privacy and electronic communications and the GDPR (also the Data Protection Directive) and made the following conclusions:
- Given the fact that it appears from the above legal sources that the consent of the user shall be given by an active conduct, the consent given by way of a pre-checked checkbox cannot be considered as validly constituted.
- Since in accordance with the Directive on privacy and electronic communications consent is not only required in case of personal data, in order for the placement of cookies a valid consent is necessary also in the case if the information stored on the webpage user’s equipment are not considered as personal data.
- For the placement of cookies users shall be fully informed which means that they need to be informed about the duration of the storage of the cookies and the fact whether third parties can have access the cookies or not.
5. Lesson learnt
The most important lesson of the case is that the CJEU confirmed in the context of cookies that the „consent” given by way of a pre-checked checkbox cannot be considered as valid.
Further, it is significant that for the placement of the cookies the consent of the user is not only necessary when the cookie is considered as personal data but also if it is not personal data.
Finally, in case of cookies, the CJEU extended the minimum requirements of the prior notification to the storage period of the cookies and their accessibility by third parties.
ONLINE CONSUMER CONTRACTS – IS YOUR BUSINESS CONCERNED?
Black Friday is once again around us: the time when online shops and the consumer protection authority cash in some extra income every year. We guess you’ve already read about the extreme discounts and the record-breaking fines by the authorities, so in our article, we will explain, that without your knowledge, your own business can easily step into the field of consumer protection, in which case, your contracts are subject to special rules. In our article, we show you how you can recognize these situations and, of course, summarize the obligations.Read more »
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.Read more »
THE SUPREME COURT RULED – FLEXIBLE WORKING TIME CAN ONLY BE ORDERED IN WRITING IN HUNGARY
It is often the case that the employer does not clearly regulate the employment relationship of the employees, which later leads to an employment lawsuit. This happened in the case before the Hungarian Supreme Court, where a legal dispute arose in connection with the employee's work schedule, the stake is the payment of several million forints of overtime work compensation to the employee. In our short article, we analyze the Supreme Court’s decision and draw conclusions on how the employer can avoid similar situations.Read more »