GDPR Planet49 Court Ruling

Last week, the Court of Justice of the European Union (CJEU) issued a judgment in the case involving German lottery operator Planet49. The company had pre-checked a cookie consent box for consumers when they entered a lottery to win a MacBook. A German consumer organization complained that the consent obtained for the use of cookies was therefore not sufficient. The resulting ruling from the court helps clarify certain points of the use of cookies and obtaining valid consent under GDPR. Here’s what you need to know:

Consent is needed for the use of cookies, regardless of whether they include personal data or not.

This is a requirement of the ePrivacy Directive (ePD) read in conjunction with the General Data Protection Regulation (GDPR). It follows that relying on legitimate interests or other legal bases available in the GDPR is not permissible for the storing or accessing of information on a device, such as is the case when using cookies.

Pre-ticked boxes, presumed consent, ambiguous consent, such as implied consent, are not lawful.

Only a user’s “active behavior with a view to giving his or her consent” fulfills the requirement of unambiguous consent. It must be possible to “ascertain objectively” whether a user has actually given consent. This is in line with the recent opinion published by the French data protection authority that stated so-called soft opt ins, i.e. scrolling or continuing to use a website to consent, is not lawful. You can read more about that in our other post, here.

Consent requires that the user is informed of the life-span of the cookie; and whether or not third parties have access to those cookies.

Therefore, a user must have been given information about third party cookies, including their life-span, at the time that the user is asked for consent.

The CJEU ruling reinforces that detailed information must be given to users and affirmative consent from users be obtained before pixels or tags can fire and cookies written or read.

How to comply?

The easiest way for publishers and advertisers to comply with the ePrivacy Directive and GDPR as interpreted by the CJEU in its Planet49 judgment is to implement a Consent Management Platform (CMP) that meets the standards of the IAB Europe Transparency & Consent Framework (TCF), such as Quantcast Choice.

Quantcast Choice, an IAB Europe-validated CMP solution, provides information to users about who is using cookies and processing their personal data, and for which purposes. This includes access to each partner’s privacy policy, where information about their cookie practices (such as lifespan) can be found. In addition, Choice gives the user the ability to consent, and informs third parties about what the user’s choices are, so that they are respected.

Privacy-by-design is one of Quantcast’s core product development tenets, and as such we diligently work to stay on top of the latest industry developments, such as court rulings, regulator opinion and practice to ensure our products help our partners reach compliance. This includes being involved in the evolution of the IAB TCF. To learn more about Quantcast Choice and how it can help you stay on the right side of GDPR, please click here.