A recent ruling by the Court of Justice of the European Union (CJEU) has confirmed that users must actively consent to cookies under the European Union General Data Protection Regulation (GDPR).
Laws in the US state of California are catching up with the EU, and in Australia, the recommendations of the Australian Competition and Consumer Commission’s (ACCC) Digital Platform Inquiry – which include a number of additional protections for consumers within the Privacy Act – will be considered this year. Given these recent global developments, now is the time for companies to start looking closely at their cookie usage, consent and related internal policies.
In Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH (Planet49 case), Planet 49 GmbH – an online gaming company collecting data for a promotional online lottery – maintained a website which was configured to provide cookie consent via an opt-out process. Participants were required to deselect a pre-checked checkbox to refuse consent to Planet49 storing cookies on the participant’s device. Planet49 also transferred the personal information of participants to its third party partners and sponsors.
After considering submissions from multiple European Governments and the opinion of the Advocate General, the CJEU determined that:
- consent via a pre-checked checkbox which the website user must deselect to refuse his or her consent does not constitute the requisite consent to collect personal information;
- it was of little significance whether the information stored by a company met the definition of personal data in the GDPR; and
- a service provider must give a website user clear information regarding cookies, including the purpose, the duration and whether or not third parties have access to those cookies.
In an Australian context, Planet49’s cookie approach would meet the requirements of the Privacy Act as it currently stands. In contrast to the findings of the CJEU, current Australian regulation allows for both express and implied consent. While the Australian Privacy Principles (APPs) require consent to be informed, voluntary, current and specific, they do not preclude companies from the use of pre-filled opt out checkboxes.
However, given the clear global trend towards actual consent being required, it is likely that the Australian position will change.
The ACCC Digital Platforms Inquiry Final Report was released on 26 July 2019, and recommended a number of additional protections for consumers within the Privacy Act. These recommendations were aimed at strengthening notification and consent requirements, and would bring the APPs closer in line with their European counterpart. The Australian Government has indicated it supports many of these measures and will conduct a consultation period this year.
The GDPR requires companies to obtain ‘freely given, specific, informed and unambiguous’ consent for the processing of an individual’s personal data. Additionally, the consent must be ‘clear affirmative action’, where the regulation strictly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting valid consent.
In the US, the California Consumer Privacy Act (CCPA), which commenced on 1 January 2020, takes the GDPR one step further, allowing Californian residents to:
- demand companies to disclose within 45 days what information is collected;
- request a copy of that information;
- see a list of all third parties the data was shared with; and
- demand that their personal information not be sold.
The third party cookie aspect of the Planet49 case is also likely to be addressed by changes implemented by browser companies aimed at eradicating such third party cookies (see, for example, this announcement from Justin Schuh, Director of Chrome engineering at Google), however the privacy laws apply to both first party and third party cookies.
In light of the Planet49 case and the fast pace of law reform in this space globally, companies should review their use and consents for cookies, in particular those cookies that store personal information (or information that can be aggregated to create personal information), require specific information to be given and require direct consent to be informed.
We recommended that companies look to:
- Assess whether the collected data can be accessed by third parties, and if this is clearly and properly disclosed to website users.
- Assess whether the data they collect rises to the level of ‘personal information’, and if so, whether it is covered by privacy policies and current company practices.
- Assess whether they need to consider the ‘Do Not Sell’ rules created by the CCPA.
- who might have access to the personal information;
- how long they will have access for; and
- the purpose of collecting such information.
 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH (C-673/17)  ECR. See link here.
 Privacy Act 1988 (Cth) s 6(1).
 Office of the Australian Information Commissioner, ‘Chapter B: Key concepts’ (Australian Privacy Principles guidelines, July 2019) pt B.35, B:40. See link here.
 Australian Competition and Consumer Commission, ‘Digital Platforms Inquiry - Final Report’ (ACCC Report, July 2019) See https://www.accc.gov.au/publications/digital-platforms-inquiry-final-report
 Australian Government, ‘Regulating in the digital age: Government Response and Implementation Roadmap for the Digital Platforms Inquiry’ (Government Response, December 2019) See https://treasury.gov.au/publication/p2019-41708
 EU GDPR Article 2(h) of Directive 95/46.
 EU GDPR Recital 32.
 California Consumer Privacy Act of 2018 [1798.100 – 1798.199].
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.