On 21 March 2019, Advocate General (AG) Maciej Szpunar delivered his opinion on a number of questions which, inter alia, relate to the validity of consent to cookies “by way of a pre-checked checkbox” (Case C 673/17). While the questions referred to the Court of Justice of the European Union (CJEU) primarily related to provisions of the Privacy and Electronic Communications Directive (2002/58/EG), the AG stated that the principles established in his opinion were equally valid for the EU General Data Protection Regulation (GDPR).

Free and Informed Consent

The AG stressed that for consent to be ‘freely given’ and ‘informed’ (as required, inter alia, under Art. 4, No. 11 of the GDPR), “it must not only be active, but also separate.”

First, there was no active consent “where the storage of information, or access to information” was “permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent.” Second, the requirement of separate consent implied that an activity a user pursues on the Internet (e.g., reading a webpage) and the giving of consent do not “form part of the same act.” In particular, from the perspective of the user, the giving of consent should “not appear to be of an ancillary nature” to the users’ Internet activities. The giving of consent should “optically in particular, be presented on an equal footing” with other actions such as (as in the case before the referring court) hitting a ‘participation button.’

Information Duties with Regard to Cookies

The AG also addressed information duties under the GDPR (e.g., Articles 13 and 14), which he considers to be linked to consent “in that there must always be information before there can be consent.” The AG stressed that “due to the technical complexity of cookies,” there was an “asymmetrical information” between the website provider and an average Internet user about the operation of cookies. Thus, “clear and comprehensive information” required that a user was able to “comprehend the functioning of the cookies actually resorted to.” The required information should, in particular, include “the duration of the operation of the cookies and […] whether third parties are given access to the cookies or not.”