How Italian consent to cookies might change after CJEU Planet49 decision

The position of the European Court of Justice in the Planet 49 case on consent required for the acceptance of cookies might impact the approach previously validated by the Italian data protection authority on the matter.

The Planet49 case on consent required for cookies

My colleague, Tommaso Ricci, well summarized on his blog, the case involving a German gambling operator, Planet 49, that hosted a lottery on its website. Users were required to enter their name and address to participate in the lottery. Beneath the input fields for the address, there were two sets of checkboxes.

The first checkbox was not pre-ticked and related to the consent to be contacted by sponsors about their commercial offers. The second checkbox was pre-ticked related to the consent to have cookies placed on the participant’s device to provide targeted ads to the participant.

According to the rules of the lottery, the participation to the lottery was only possible if the participant ticked at least the first checkbox. Such an approach was claimed to infringe the EU rules on informed and freely given consent. The case reached Germany’s Federal Court of Justice, which then referred the case before the CJEU.

The position of the European Court of Justice on the cookie walls in Planet49 case

The Court held that

1. placing of cookies requires the active consent of the Internet user and cannot be provided through a pre-checked checkbox which the user must de-select to refuse his/her consent;
2. Consent must be specific. The fact that a user selects the button to participate in an online promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies;
3. The circumstance on whether information stored or accessed on the user’s equipment is personal data is not relevant. EU law aims to protect the user from any interference with his/her private life. In particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge; and
4. Users must be informed about the duration of the operation of cookies and whether or not third parties may have access to those cookies.

The consequences of Planet49 decision on consent required by the Garante to Italian cookies walls

Back in 2014, the Italian data protection authority, the Garante, had issued detailed instructions on how consent to the usage of cookies has to be provided. The position can be summarized as follows:

1. users are provided with a short privacy information notice on the homepage, linking to a long cookie policy;
2. technical necessary cookies do not require consent;
3. profiling and third party cookies do require prior consent. Each of them has to be outlined in the cookie policy, with a link to the privacy information notice of the third party and the possibility to deactivate one-by-one each cookie that shall be described in detail; but
4. consent can be given by clicking on the short-form privacy information notice, but also by continuing the navigation on the site or scrolling the webpage.

The issue is whether the simplified modality of the provision of consent validated by the Italian data protection authority can be deemed to be GDPR compliant, following the Planet49 decision. Is the consent given by scrolling on the webpage or continuing the navigation on the site sufficiently specific for the EU General Data Protection Regulation?

The Italian Privacy Code provides that decisions of the Garante issued before 25 May 2018 remain applicable, provided that “they are compatible” with the GDPR. But the WP29 held that the principles of the GDPR also apply to aspects governed by the ePrivacy Directive.

The Italian DPA did not clarify which of its old decisions are still applicable, but the Planet49 decision opens interesting questions on the topic.

On the topic above, you may find interesting the article “How privacy consent changes with the GDPR?“.