The CJEU rules on consent to cookies under data protection law
Lorna Woods, Professor of Internet Law, University of Essex
according to recital 32 [GDPR], giving consent could include ticking a box when visiting an internet website. On the other hand, that recital expressly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting consent [para 62].
The Court noted that the referring court did not asked the question as to whether making consent to such processing a precondition for participation in the lottery satisfied the requirement for consent to be ‘freely given’ and therefore the ECJ did not answer that question.
Given that the e-Privacy Directive is not just about personal data, the referring court asked if the meaning of consent was the same should data other than personal data be in issue. While it was accepted that the data in issue constituted personal data, in line with the approach of the Advocate General and relying on Recital 24 of the e-Privacy Directive, the Court commented:
that Article 5(3) of Directive 2002/58 refers to ‘the storing of information’ and ‘the gaining of access to information already stored’, without characterising that information or specifying that it must be personal data [para 68].
The ruling will have significant implications for those who obtain data relying on cookies, as the Court has confirmed that ‘active consent’ is required. While this is clear on the face of the GDPR it was less so under the Data Protection Directive. Given that the Data Protection Directive has already been repealed and the GDPR is now in force the consequences – save for those already legally embroiled on this point – might be thought to be limited. Nonetheless, this is a clear affirmation of the fact that the GDPR definition of consent applies in the e-Privacy Directive.
As an aside, it is also worth noting the broader scope of the e-Privacy Directive: it is not limited to personal data but the ‘private sphere of individuals’, that private sphere encompassing users’ ‘terminal equipment’. This means that national rules should not be less strict if no personal data is in issue. The Court reminds us also that the protection in the e-Privacy Directive is not limited to to cookies but to ‘hidden identifiers and other similar devices’ [para 70]. Presumably then these techniques also require active consent. Of course, this ruling relates to the e-Privacy Directive; it remains to be seen what the position will be should the proposed ePrivacy Regulation ever be agreed.
The final point to note is the issue surrounding ‘freely given’. The German court did not raise the question of whether requiring consent as a pre-condition for accessing the service would be permissible and the Court did not answer it of its own volition. This presumably will come before the Court another day.
Photo credit: pcmag