Photo by Glenn Carstens-Peters.
The Planet49 Case
To enter the lottery, users were forced to consent to being sent promotional information and the lottery terms and conditions stated that users could opt-out of the use of third party cookies if they manually unchecked the box.
A German federal consumer rights group (Bundesverband der Verbraucherzentralen) believed that the requested declarations of consent by Planet49 did not satisfy the relevant requirements of the German data protection laws. As a result the CJEU made the following ruling:
- A pre-checked box would not offer consent that was legal under the e-Privacy Directive and the GDPR. The GDPR states that pre-checked boxes or indeed inactivity should not be considered or assumed as valid consent. A positive affirmative action by the data subject is needed.
- It does not matter what information a website cookie contains; all website cookies are considered as part of a person’s ‘privacy sphere’ whilst online; therefore, all website cookies, regardless of function, are classed as personal data.
- Website users must be provided with information on the duration of cookies and whether third parties have access to them.
This clarification by the CJEU invalidated a lot of existing cookie statements. If you have not checked your cookie statement since October 2019, we suggest that you research to ensure that your organisation is managing cookies in a legal fashion. To find out how Tacita can help you to remain GDPR compliant, please get in contact with a member of our team using the forms below.
About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/