Advocate General Maciej Szpunar, a senior legal adviser to the EUs Court of Justice (CJEU), delivered an opinion (Case C‑673/17) in a case concerning the questions: should websites actually give users the choice to accept cookies and to what extent? The Advocate General bolstered that the existence of a pre-ticked checkbox on a site that a user has visited does not represent valid consent. The AG also stated that websites should clarify how long cookies remain stored and who has access to data collected in this way.
This AG opinion is not binding, but could influence the CJEU's final decision on the case expected later this year. This decision could significantly impact the activities of EU web service providers, the process of accepting cookies, and lead to an internet experience that is either more user-friendly or tedious.
What happened in the case?
In order to participate in a lottery organised by the defendant Planet49, an internet user was confronted with two checkboxes, which had to be clicked or unclicked before he could participate. Ticking the first checkbox allowed users to be contacted by a range of firms for promotional offers, while the second checkbox required users to consent to cookies or data being installed on their computers. Participation in the lottery was only possible if the first checkbox was ticked. According to the applicant Bundesverband, the declarations of consent used by Planet49 did not satisfy the requirements of German law, and after multiple proceedings, the case went to the CJEU.
What is a cookie?
A cookie consists of information or data sent by a website (e.g. an online advertising network) to your internet browser, and stored on your computer or mobile device. The next time you visit that website, your browser sends the cookie back, allowing the website to remember your actions or preferences over time.
What are the general principles on giving consent?
For consent to be “freely given” and “informed”, it must be a decision that is active and separate. An activity a user pursues on the internet (e.g. reading a webpage, participating in a lottery) and consent cannot form part of the same act. It must be made crystal clear to a user without ambiguity whether the activity is contingent on giving consent. A user must be in a position to assess to what extent he is prepared to give data in order to pursue an internet activity.
Can informed consent be given freely with a pre-ticked checkbox?
No. Requiring a user to untick a box if (s)/he does not consent to the installation of cookies is not active consent. By contrast, requiring a user to tick a box makes such an assertion more probable. As mentioned, two expressions of intention (i.e. participation in the lottery and consent to the installation of cookies) cannot form part of the same act.
Is the GDPR’s “prohibition on bundling” considered absolute?
No. The AG discussed the prohibition of bundling consent under Article 7(4), GDPR. “Bundling” consent can be seen as a mechanism to “force” a data subject to consent and to allow the use of the data for purposes other than those which are essential for the performance of the contract. In this case, according to the AG, “the underlying purpose in the participation in the lottery is the ‘selling’ of personal data (i.e. agreeing to be contacted by so-called ‘sponsors’ for promotional offers). (…) it is the providing of personal data which constitutes the main obligation of the user in order to participate in the lottery. In such a situation it appears to me that the processing of this personal data is necessary for the participation in the lottery”.
Does it make a difference if the stored information is personal data?
No. Cookie consent rules apply to all data, not only personal data. According to the AG, the ePrivacy Directive makes it clear that any such information is private and aims to protect the user from interference with his private life, regardless of whether that interference involves personal data or other information.
What information must a service provider give a user?
There must always be information before there can be consent. The information given must be clearly comprehensible, unambiguous, and sufficiently detailed to enable the user to understand the functioning of the cookies. This includes both the time period for storage and whether third parties have access. Service providers must keep users informed of the types of data they are processing and the purpose and duration for which it is done. If third parties have access to the cookies set, their identity must be disclosed. This is essential to informed consent.
Will this AG opinion influence the debate over the ePrivacy Regulation?
The proposed ePrivacy Regulation (ePR) will complement the GDPR by incorporating some of its principles, updating the ePrivacy Directive and introducing legislation in all member states. Regarding cookies, the ePR aims to simplify their rules and make consent more "user friendly” as detailed in the latest draft of the ePR. It will be interesting to see if the ePR debate will be influenced by this non-binding opinion.
Also, the European Data Protection Board (EDPB) recently adopted Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, finding that cookies are a clear example of processing activities that are subject to to the ePrivacy Directive and the GDPR. For cookies, the EDPB stated that the specific provisions of the ePrivacy Directive must take precedence over the more general provisions of the GDPR. In other words, consent must be obtained. As a result, the controller cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR.