On 21 March 2019 Advocate-General Szpunar (the “Advocate General”) delivered his opinion on the Planet49 case, an important case regarding the rules applicable to cookies currently pending before the Court of Justice of the European Union (CJEU).

The facts

Planet49, a company registered in Germany, hosted on its website a lottery. To participate in the lottery, a participant was required to enter his name and address. Beneath the input fields for the address were two sets of checkboxes.

The first checkbox was not pre-ticked, and it was meant for the participant to consent to being contacted by certain sponsors about their commercial offers. The second checkbox was pre-ticked, and it was meant for the participant to consent to have cookies placed on his device for the purposes of providing targeted ads to the participant.

According to the rules of the lottery, participation was only possible if the participant ticked at least the first checkbox.

The Bundesverband (Federation of German Consumer Organisations) ultimately instituted court proceedings against Planet49, claiming that the latter’s declarations of consent used for the lottery did not meet the necessary requirements of informed and freely given consent. The case reached Germany’s Federal Court of Justice, which then referred the case before the CJEU, seeking guidance on the interpretation of certain provisions of the e-Privacy Directive (Directive 2002/58), the Data Protection Directive (Directive 95/46, the “DPD”), and the General Data Protection Regulation (Regulation 2016/679, the “GDPR”).

In his opinion, the Advocate General interprets the notion of consent under the EU data protection and privacy legal framework, the scope of the ePrivacy Directive and the information to be provided to the data subject to obtain an informed consent.

1.Consent

It is important to note that this case constitutes the first interpretation of the notion of consent under the GDPR. Although the facts occurred before the entry into application of the GDPR, the Advocate General applied the principles of the GDPR to the case considering that the Budesverband’s injuction also covered future behaviour from Planet49.

After assessing the conditions for valid consent under both the DPD and the GDPR, the Advocate General came to the conclusion that there were no substantial differences between the two texts with regard to consent. He only noted that the GDPR is more explicit in laying down certain criteria.

The Advocate General emphasized that consent needs to be manifested in an active manner. It requires an unambiguous indication of the data subject’s wishes and a clear affirmative action signifying agreement to the processing of personal data. Consequently, he outlined that a simple inaction is insufficient but some sort of action is required to constitute consent.

Moreover, he stressed that for consent to be freely given and informed, it must not only be active, but also separate. Thus, the Advocate General considered that the activity that a user pursues on the internet and the giving of consent cannot form part of the same act. More specifically, the giving of consent cannot appear to be of an ancillary nature to the activity pursued on the internet, but both actions must optically be presented on an equal footing. According to the Advocate General, it must be crystal-clear to a user whether the activity he pursues on the internet is contingent upon the giving of consent and the user must know whether and, if so, to what extent is giving of consent has a bearing on the pursuit of his activity on the internet. As a consequence, he expressed his doubts as to whether a bundle of expressions of intention, which would include the giving of consent, would be in conformity with the data protection legal framework.

In light of these principles, the Advocate General considered that Planet49 did not obtain valid consent to the placing of cookies on the lottery participants’ devices (second checkbox), as it fulfilled neither of the three criteria.

In this respect, the Advocate General stated that requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. In such a situation, he considered that it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box would make such an assertion far more probable.

In addition, the Advocate General considered that a pre-ticked checkbox such as the second Planet49 checkbox (for cookies) did not fulfil the conditions of separate and informed consent, since the consenting to cookies was bundled together with the expression of intent to participate in the lottery, and the participant was apparently not informed of the fact that consenting to cookies was not mandatory for him to be able to participate in the lottery.

Although the Advocate General noted that the crux of the case related only to the second checkbox, he also commented on an issue arising in connection with the first checkbox. Thus, he considered that while there is no problem with a lottery participant making an active consent, it might not be considered as separate.

The Advocate General then referred to Article 7(4) GDPR, which he interpreted as providing a general prohibition on consent bundling, but with certain exceptions (hence, the wording ‘utmost account shall be taken of’). The main question concerning the first checkbox, should the CJEU decide to examine the issue, is whether the processing of personal data is necessary for the participation in the lottery. He then argued that this would indeed be the case in the present circumstances, since the purpose of the lottery was to sell personal data to sponsors, which would mean that providing personal data was the main obligation of a participant in order to participate in the lottery.

2. Scope the ePrivacy Directive

The Advocate General further examined whether it makes a difference if the information stored by cookies constitutes personal data or does constitute personal data.

The Advocate General’s answer to this issue is straightforward. He recalled that the wording of Article 5 (3) of the ePrivacy Directive refers to the “storing of information, or the gaining of access to information already stored” and stressed that this provision aims to protect the user from interference with his or her private sphere, regardless of whether that interference involves personal data or other data. According to him, it is clear that any such information has a privacy aspect to it, regardless of whether it constitutes ‘personal data’ within the meaning of Article 4, point 1, of the GDPR or not. Thus, the Advocate General considered that it makes no difference whether the information stored or accessed constitutes personal data, meaning that the obligation to obtain consent for the use of cookies is applicable regardless of whether a cookie contains personal or non-personal data.

Therefore, the Advocate General questioned the correct transposition of the ePrivacy Directive in German law insofar as the requirements under German law are less strict if no personal data are involved. Depending on the CJEU’s ruling, Germany may thus need to review its national rules on cookie permissions to avoid any potential infringement actions.

3. Information to be provided to a user for a consent to cookies to be valid

The Advocate General stated that due to the technical complexity of cookies, the average internet user cannot be expected to have a high level of knowledge of the operation of cookies. Therefore, he considered that the information provided must be, inter alia, sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to. According to the Advocate General, this includes both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies.

It is important to note that the Advocate General considered that the duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done. More specifically, he stated that even if a cookie is essential, the question of how intrusive it is must be examined against the surrounding circumstances for consent purposes (in other words, long-lasting necessary cookies might still require consent purely based on their lifespan). In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, service providers must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose.

The Advocate General made a particularly interesting point concerning the information about third parties. According to him, a user should be explicitly informed whether third parties have access to the cookies set or not, and if third parties have access, their identity must be disclosed.

Conclusion

While the interpretation of the Advocate General as such does not come as a surprise, it casts some doubts on certain practices that have been accepted by the Data Protection Authorities. More specifically, it is unclear at this point whether the Advocate General’s interpretation of the notion of consent could be interpreted as prohibiting consent through further browsing and cookie walls. While his comments at first glance appear to exclude them, he appears to have left the door open to these possibilities through notably his comments on consent bundling and on information. As a result, bundling consent could perhaps still be acceptable in cases where there is a genuine ‘bargain’ between the controller and data subject to trade personal data as consideration for the provision of a particular service.

The decision of the CJEU will be greatly anticipated, and it is not bound by the opinion of the Advocate General. Either way, certain cookie-related practices are likely to have to change in a few months’ time.