The company involved in the case, Planet49, had used a pre-ticked box in order to obtain consent to receive marketing messages from participants in a promotional lottery. In its ruling on case 673/17, the Court noted that even under the General Data Protection Regulation’s (GDPR) predecessor, Directive 95/46/EC, this did not constitute valid consent.
The definition of consent in the GDPR and Regulation 2018/1725, which applies to the EU institutions, is even clearer. Under these new rules, consent must be provided in the form of a statement or by a clear affirmative action.
The Court also referred to the need for valid consent to be unambiguous. In the case of a pre-ticked box, this cannot be the case, as it would be easy for an individual to miss the box. Additionally, consent must be specific. Controllers must therefore seek consent for different purposes separately, and not bundle together consent sought for separate purposes.
As the Court confirmed, affirmative, unambiguous and specific consent is required independently of whether the cookie collected qualifies as personal data or not. This is because Article 5(3) of the EU’s ePrivacy Directive requires consent for the storing of information and the gaining of access to information already stored via cookies or similar tools for marketing purposes.
The Court’s ruling helps to clarify how, and in what cases, consent is required under the EU’s data protection rules. It should act as a reminder to all controllers to ensure that their consent procedures are fully compliant with these rules.
Source: EDPS