On 1 October 2019, the CJEU ruled that the organiser of an online lottery, Planet49, did not get consent for cookies as required by the ePrivacy Directive (2002/58/EC) because the consent box was pre-ticked. Most privacy lawyers would have been expecting this conclusion – not least because it follows the March 2019 opinion of Advocate General Szpunar.
The online lottery in question was designed to gather email addresses for partner advertisers to email those who registered for the lottery. The box to consent to emails was not pre-ticked but you had to consent in order to enter the lottery. The cookies were used to enrich the data held by Planet49 by generating data whenever a registered user visited a website of a partner advertiser. From the user point of view, emails received from any such partner advertiser would take into account their visit to the partner website.
I expect many would agree that this is the kind of scenario which privacy law should ensure is consensual though I wonder whether you can take the view that the online lottery is clearly (with full transparency) designed to collect personal data in return for a chance in a lottery. What is wrong with saying that part of the data use involves enriching the user experience via cookies? Especially because apparently Planet49 didn’t give advertisers access to the personal data or even aggregate data across advertisers.
But not all cookies are the same; they come in many shapes, rather like the edible ones. One very common internet cookie supports website analytics. Without cookies, websites can’t see if it’s unique visitors who access each page so cookies enable the website operator to check how visitors use the website with a view to improving the user experience. Nothing wrong with that? The challenge is that if the website gives the user an unticked box then visitors tend not to opt in; they typically don’t know much about cookies – only techies and privacy lawyers really need to understand how they work – and so visitors take the path of least resistance and don’t opt in.
When cookie consent was introduced in 2010, the ICO tried to avoid the issue by saying:
“Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action”.
Rumour has it that the ICO got first hand experience because they originally implemented an active consent for analytics cookies on their own site and only a handful of visitors consented so they reverted to the usual website notice. Note that the enforcement statement only applied to first party cookies. Websites often use external service providers to run their website analytics and that involves third party cookies.
So whilst not ideal, there was some comfort around enforcement. But then along comes the GDPR. Hold on though, the ePrivacy Directive didn’t get replaced as planned so why’s is the GDPR relevant? Well, the ePrivacy Directive refers out for the definition of consent and that wording is now the GDPR version – though arguably the substance hasn’t changed because the wording added to the definition by the GDPR reflected the way the consent concept was interpreted by the Article 29 Working Party in any event. The GDPR did change the game more generally and also raised the level of fines exponentially – though the ICO has confirmed that fines for breach of eprivacy rules remain the same.
So the question still arises in light of the GDPR and now Planet49: if a website gives clear information about cookies for analytics, will the ICO enforce? In its new 2019 guidance, the ICO says:
“Although the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals.”
However, you should note that analytics cookies are often provided by a third party so the ICO’s safe harbour is not necessarily going to be available.
The legal analysis of course could and should be a lot simpler. Maybe help will arrive in the form of the ePrivacy Regulation – even if it is not yet adopted – because the new draft takes a more permissive line for some cookies including for audience measurement – and that permission extends to third party service providers (subject to compliance with Article 28 GDPR). Though one final point is that the UK is due to leave the EU on 31 October and if that transpires, then the ePrivacy Regulation won’t apply in the UK. However, the UK may well introduce similar rules in order to achieve adequacy for transfers of personal data to the UK from the EU27.
Whatever the position, care has to be taken as other jurisdictions may not take the same permissive approach as the UK. That said, the ePrivacy Regulation might help Planet49 as recital 21 says: “In some cases the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment may also be necessary for providing an information society service, requested by the end-user, that is wholly or mainly financed by advertising provided that, in addition, the end-user has been provided with clear, precise and user-friendly information about the purposes of cookies or similar techniques and [has accepted such use]”.