Indeed, the company hosted a promotional lottery on its website, to participate in which users were asked to enter some data, such as their name, address and zip code, and were also presented with two tick-boxes, one of which was pre-selected.
The first tick-box – the selection of which was sufficient for the user to participate in the lottery – concerned consent to receive advertising from Planet49’s partners and was not pre-selected. The second one, on the other hand, was pre-ticked and enabled the company to install cookies on users’ devices in order to analyze their habits and interests so as to then send them personalized ads.
The Court held that, although Directive 2002/58 (the e-Privacy Directive) provides that the user must have “given his or her consent” to the installation of cookies on his/her device, it does not indicate the way that consent is to be given. On the grounds of both Recital 17 of the aforementioned Directive and the Opinion of the Advocate General, Maciej Szpunar of March 21, 2019, the Court suggested the literal interpretation of that wording, thus requiring active consent, which cannot be configured by way of a pre-checked checkbox.
Furthermore, the ECJ stated that consent must be specific, in the sense that it cannot be inferred from an indication of the data subject’s wishes for other purposes, such as the selection by the user of the button to participate in a promotional lottery. Instead, the consent must refer precisely to the processing of the data concerned, as provided, inter alia, by the GDPR.
Answering the second question raised by the German Federal Court of Justice, the ECJ had the opportunity to confirm that, notwithstanding that the cookies installed by Planet49 were intended for the collection and processing of personal data, the e-Privacy Directive refers to the storage of information and its further access without specifying that it must be personal data. This means that it is irrelevant to this outcome whether or not the information stored or accessed constitutes personal data, since EU legislation aims to protect the user from any interference with his or her privacy.
Finally, the Court of Justice highlighted further information that service providers who are installing cookies must provide to the user of a website.
Firstly, and by virtue of the requirement of fair data processing, the information to be provided must contain the duration of the operation of cookies. This requirement, which is borne out by Art. 13 of the GDPR, prevents a long, or even unlimited, duration of cookie activity, which would result in the unjustified collection of a large amount of information on users’ surfing behavior. Secondly, and again in accordance with Art. 13 of the GDPR, the Court found that website operators must also inform users of third parties that have access to cookies.