Information about Cookies
In order to obtain a user’s consent, the website had two separate boxes with different informative texts. In the first box, which was not checked by default, it was explained that Internet users’ consent must be obtained for the purpose of the advertising that would be launched by certain companies and sponsors. In the second box, consent was obtained for the use of the web page analysis service and for installing cookies to analyse Internet users’ behaviour in order to send them advertisements based on their browsing habits. In this case, the box was previously checked.
Users could only take part in the game if they checked the first box but, obviously, they could uncheck the second box. However, this aspect raised doubts for the German Court regarding the validity of obtaining users’ consent and the content of the information so it submitted these questions to the Court of Justice.
Regarding the first question, the Court of Justice replied that Internet users’ behaviour must be active for them to be deemed to have granted their consent. What is interesting about this decision is that it shows the Regulation introduced stricter requirements by stipulating the need for specificity, which requires that the specific purposes of the processing must be disclosed for consent to be granted, repeating that the freely given, specific, informed and unambiguous wishes of the data subject are only deemed as expressed when there is clear affirmative action (Pº 61).
Another interesting aspect of the Judgement is that the CJEU considered the requirement to obtain consent does not depend on the type of data being processed. This means that it is irrelevant whether or not they are personal data because the requirements that must be met to obtain consent are the same (Pº 71).
Finally, the CJEU ruled that, in accordance with the Regulation, in order to ensure fair and transparent processing, the data controller must provide users with information relating to the period for which the personal data will be stored or at least the criteria used to determine that period; therefore, information must be provided about the duration of the operation of cookies and whether or not third parties may have access to such cookies (Pº. 79 and 81).