22 January 2020
A recent ruling by the Court of Justice of the European Union (CJEU) has confirmed that users must actively consent to cookies under the European Union General Data Protection Regulation (GDPR).[1]
Laws in the US state of California are catching up with the EU, and in Australia, the recommendations of the Australian Competition and Consumer Commission’s (ACCC) Digital Platform Inquiry – which include a number of additional protections for consumers within the Privacy Act – will be considered this year. Given these recent global developments, now is the time for companies to start looking closely at their cookie usage, consent and related internal policies.
In Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH (Planet49 case), Planet 49 GmbH – an online gaming company collecting data for a promotional online lottery – maintained a website which was configured to provide cookie consent via an opt-out process. Participants were required to deselect a pre-checked checkbox to refuse consent to Planet49 storing cookies on the participant’s device. Planet49 also transferred the personal information of participants to its third party partners and sponsors.
After considering submissions from multiple European Governments and the opinion of the Advocate General, the CJEU determined that:
In an Australian context, Planet49’s cookie approach would meet the requirements of the Privacy Act as it currently stands. In contrast to the findings of the CJEU, current Australian regulation allows for both express and implied consent.[2] While the Australian Privacy Principles (APPs) require consent to be informed, voluntary, current and specific, they do not preclude companies from the use of pre-filled opt out checkboxes.[3]
However, given the clear global trend towards actual consent being required, it is likely that the Australian position will change.
The ACCC Digital Platforms Inquiry Final Report was released on 26 July 2019, and recommended a number of additional protections for consumers within the Privacy Act.[4] These recommendations were aimed at strengthening notification and consent requirements, and would bring the APPs closer in line with their European counterpart. The Australian Government has indicated it supports many of these measures and will conduct a consultation period this year.[5]
The GDPR requires companies to obtain ‘freely given, specific, informed and unambiguous’ consent for the processing of an individual’s personal data.[6] Additionally, the consent must be ‘clear affirmative action’, where the regulation strictly precludes ‘silence, pre-ticked boxes or inactivity’ from constituting valid consent.[7]
In the US, the California Consumer Privacy Act (CCPA), which commenced on 1 January 2020, takes the GDPR one step further, allowing Californian residents to:
The third party cookie aspect of the Planet49 case is also likely to be addressed by changes implemented by browser companies aimed at eradicating such third party cookies (see, for example, see the linked announcement from Justin Schuh, Director of Chrome engineering at Google), however the privacy laws apply to both first party and third party cookies.
In light of the Planet49 case and the fast pace of law reform in this space globally, companies should review their use and consents for cookies, in particular those cookies that store personal information (or information that can be aggregated to create personal information), require specific information to be given and require direct consent to be informed.
We recommended that companies look to:
In our view, a best practice cookie policy would make clear:
[1] Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V. v Planet49 GmbH (C-673/17) [2019] ECR. See link: http://curia.europa.eu/juris/d....
[2] Privacy Act 1988 (Cth) s 6(1).
[3] Office of the Australian Information Commissioner, ‘Chapter B: Key concepts’ (Australian Privacy Principles guidelines, July 2019) pt B.35, B:40. See link: https://www.oaic.gov.au/privac....
[4] Australian Competition and Consumer Commission, ‘Digital Platforms Inquiry - Final Report’ (ACCC Report, July 2019) See https://www.accc.gov.au/publications/digital-platforms-inquiry-final-report
[5] Australian Government, ‘Regulating in the digital age: Government Response and Implementation Roadmap for the Digital Platforms Inquiry’ (Government Response, December 2019) See https://treasury.gov.au/publication/p2019-41708
[6] EU GDPR Article 2(h) of Directive 95/46.
[7] EU GDPR Recital 32.
[8] California Consumer Privacy Act of 2018 [1798.100 – 1798.199].
Authors
Partner
Partner
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.