The Planet49 Case
To enter the lottery, users were forced to consent to being sent promotional information and the lottery terms and conditions stated that users could opt-out of the use of third party cookies if they manually unchecked the box.
A German federal consumer rights group (Bundesverband der Verbraucherzentralen) believed that the requested declarations of consent by Planet49 did not satisfy the relevant requirements of the German data protection laws. As a result the CJEU made the following ruling:
- A pre-checked box would not offer consent that was legal under the e-Privacy Directive and the GDPR. The GDPR states that pre-checked boxes or indeed inactivity should not be considered or assumed as valid consent. A positive affirmative action by the data subject is needed.
- It does not matter what information a website cookie contains; all website cookies are considered as part of a person’s ‘privacy sphere’ whilst online; therefore, all website cookies, regardless of function, are classed as personal data.
- Website users must be provided with information on the duration of cookies and whether third parties have access to them.
This clarification by the CJEU invalidated a lot of existing cookie statements. If you have not checked your cookie statement since October 2019, we suggest that you research to ensure that your organisation is managing cookies in a legal fashion. To find out how Tacita can help you to remain GDPR compliant, please get in contact with a member of our team using the forms below.