On 29 January 2021, the Kemp Little team joined Deloitte Legal. Click here to view the press release.

As of 30 January 2021, Kemp Little LLP ceased to operate as a firm of solicitors and practice law and ceased to be regulated and authorised by the Solicitors Regulation Authority.

Kemp Little LLP has been re-named KL Heritage LLP.

If you are looking to contact a specific individual to seek legal advice or in respect of any other business relationship, please contact Deloitte Legal.

If you are seeking to contact the old Kemp Little LLP in relation to a previous business relationship or matter, please get in touch with KL Heritage LLP.

For enquiries relating to Kemp Little technology products and training portal, please email deloittelegal@deloitte.co.uk

 


 

Kemp Little is a trade name used under licence by KL Heritage LLP (formerly Kemp Little LLP, registered number OC300242 and VAT number 182 8854 65).

On 29 January 2021, the Kemp Little team joined Deloitte Legal.  As of 30 January 2021, Kemp Little ceased to operate as a firm of solicitors and practice law. From this date Kemp Little ceased to be authorised and regulated by the Solicitors Regulation Authority and is being re-named KL Heritage LLP.

All references to Kemp Little herein are references to KL Heritage LLP, which used to carry on business in that name.

KL Heritage LLP is not connected to or associated with Deloitte Legal or Deloitte LLP in any capacity.

 

Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Data protection & privacy · 8 October 2019 · Marta Dunphy-Moriel · Alex Dittel

Pre-ticked boxes for cookies? What Planet49 do you live on?

In its recent judgment C-673/17 the CJEU clarified rules around the consent to “store information or to gain access to information stored in the terminal… Read more

more content below

In its recent judgment C-673/17 the CJEU clarified rules around the consent to “store information or to gain access to information stored in the terminal equipment of a subscriber or user”, or, in other words, to place cookies on a user’s machine. This case confirms what many regulators already consider status quo under the GDPR. A pre-ticked box is just not good enough.

An additional interesting fact is that the CJEU considered current law in this pre-GDPR case.

What was the case about?

The case before the German Federal Court of Justice was whether the website operator Planet49 was right to rely on a pre-ticked box as consent to place third party cookies on the user’s machine. Planet49 provided detailed information about cookies and user rights on its website but the claimant German consumer protection association did not budge on the pre-ticked boxes.

Uniform application of EU law

The court decided to look past the German law which it held would not add to a uniform application of EU law and the principle of equality. Instead, as per previous case law, account was taken of the EU law, its legislative context and objectives.

European e-Privacy rules

Essentially, consent has to be “freely given specific and informed indication of … wishes … [that] signifies … agreement”. Under the GDPR, the stricter requirement of “clear affirmative action” applies and its recitals specifically exclude pre-ticked boxes. This has put the nail in the coffin of pre-ticked boxes.

The CJEU made the following observations:

  • The e-privacy rules set out in Directive 2002/58, as amended, do not indicate the “way in which that consent must be given”. However, the recitals included the “ticking a box” example and referred to the meaning of consent under the Directive 95/46.
  • The Directive, now replaced by the GDPR, referred to “indication” of consent which implied some sort of action. A pre-ticked box is passive and hence insufficient.
  • Reference to “unambiguously” could only be satisfied by active behaviour. A pre-ticked box would also fail to meet the “informed” requirement.
  • The 2009 amendment to e-Privacy introduced the consent requirement and mere notice with the right to refuse was no longer sufficient.
  • In order to be “specific”, consent must relate specifically to the purpose of processing in question and cannot be inferred from consent for other purposes.
  • The court clarified that the cookies rules apply regardless of personal data being processed as e-privacy rules are intended to protect users from hidden identifiers and other devices.
  • Finally, the court clarified that the reference to “clear and comprehensive information” under e-privacy means “clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed”. Reference was made to providing information about “the period for which the personal data will be stored” under the GDPR. The information must explain “whether or not third parties may have access to those cookies”.

Third parties relying on consent

There is an additional discussion on whether third parties relying on the consent must be listed in the notice or if a reference to “categories of recipients of the data” would suffice. The CJEU stopped short of explaining if such third parties have to be explicitly named and only reiterated that the provisions in the law “expressly refer to the recipients or categories of recipients of the data”. However, the ICO and other regulators consider that listing categories will not suffice, as our cookies guide explains. Therefore, unless the parties are listed the consent will likely fail to be granular and informed and may as a result be invalid.

Next steps

The call to action for website operators is to carry out a cookie audit and implement an appropriate consent mechanism for non-essential cookies. Following the release of the ICO’s revised guidance on cookies in July, many websites remain non-compliant.

  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Marta Dunphy-MorielMarta Dunphy-Moriel

Alex DittelAlex Dittel

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like

  1. How to… lawfully collect customer contact-tracing information | The Caterer
  2. What to do when an audit highlights deficiency
  3. Podcast | DPO Update: DPIAs, Schrems 2, e-privacy, CCPA & CPRA, mobile phone extraction by police, Smart TVs investigated and latest fines
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Complaints
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon

[contact-form-7 id="4941" title="General contact form"]
close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

[contact-form-7 id="4943" title="Subscribe to future events"]
close
close
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn