The European Union decides on the need for data subjects active consent for the use of cookies

The European Union decides on the need for data subjects active consent for the use of cookies

In a recent ruling on privacy and the processing of personal data, the Court of Justice of the European Union (“CJEU”) considered that the consent of the data subject to use Internet cookies is mandatory. The reference for a preliminary ruling was submitted to the CJEU by the German Federal Supreme Court under a dispute between the German Federation of Consumer Organizations and Associations and online gaming company “Planet49 GmbH” in reference to the consent given by the participating users of a promotional game organized by the company for the transmission of their respective personal registration data to “Planet49 GmbH” sponsors and partners, as well as for storing information and for accessing information stored on their devices through cookies.

The legal framework examined by the CJEU has taken into account the laws of the country of origin of the dispute (Germany), as well as European Community directives on the processing of personal data, their free movement and the protection of privacy, in addition to Article 6, (1), point (a) of the General Data Protection Regulation (GDPR), which establishes data holders consent as the legal basis for the processing of their personal data for one or more specific purposes.

In deciding the case, the CJEU considered whether consent would be valid when the storage of information or the possibility of access to information already stored on the users terminal equipment was passively used by a pre-validated opt-in mechanism, requiring the user to uncheck this option to refuse their consent; and what information the service provider should communicate to the user in order to comply with GDPRs legal requirement to provide “clear and complete information”.

Assuming that, under Article 4 (11) of the GDPR, consent is a free, specific, informed and explicit expression of willingness, whereby the data subject agrees, by means of a clear affirmative statement or action, that Personal data concerning them are processed for a specific purpose, the CJEU first decided that the above legal requirement implies the need for active rather than passive consent by the user. Accordingly, consent to the use of cookies provided through a pre-marked option, as it is passive behavior, would not be characterized as a valid means of obtaining consent for the processing of personal data in this case. 

Also, the CJEU decided to provide clear and complete information about the prior consent obtained and the purposes of the processing in question, in order to enable the user to fully understand the functioning of cookies used by that company. In addition to that, the information that the service provider must provide to a website user must include the duration of these cookies and whether or not third parties will have access to them, since without this information, the means and purposes of the processing of personal data will not be clearly and completely informed to the user, impairing the validity of their consent.

In short, the CJEUs understanding demonstrates that consent to the use of cookies must be free, informed, specific and explicit in order to be valid and effective. Such requirements for the validity of consent, however, are not new to the European scenario, given that international data protection authorities and bodies such as the Article 29 Working Party have, for example, specific publications on the requirement for that the data holders statement of willingness to be free and informed for the consent to be valid. However, it may be noted that certain practices, such as forcing the data holder to “scroll down” to consent to the use of cookies continue to be used even if they do not necessarily meet the above legal requirements.

In the Brazilian scenario, the LGPD defines the consent in its article 5, item XII, as a “free, informed and unambiguous manifestation by which the data subject agrees to the processing of their personal data for a particular purpose”, providing, like the GDPR, fundamental requirements for the validity of consent. Considering the influence of European decisions in the Brazilian data protection scenario, and the absence, up until now, of a duly constituted and active Data Protection Authority, capable of issuing guidelines for the national market, it is clear that decision will imply behavioral change from national players. 

Finally, it is important to consider that, although very common in data protection discussions, the use of consent, whether through cookies or in different situations, tends to be the most critical and volatile legal basis. For its use, it is advised that the data processing agents strictly follow all the rules imposed for the use of this legal basis, under penalty of having an invalid consent (a very common situation in the market today). And while there are no national guidelines or case law from the countrys courts, EU decisions are used as an important guidance framework. 

Check the full decision of the CJEU at: (Portuguese) or (English).

To receive the main news from the law making scenario related to privacy and data protection, nationally and internationally, follow the Azevedo Sette Advogados Technology, Media and Telecommunications team.