On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case[1] on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive.
In particular, the AG opines that: 1) a pre-ticked checkbox that users must untick to refuse consent does not constitute valid consent; 2) consent for cookies should not be bundled with other consents; and 3) users must be informed about the cookies’ lifespan and the third parties accessing the cookies. AG opinions are not binding on the CJEU, but are often influential. If the CJEU follows the AG Opinion, it will likely impact widely-adopted cookie consent practices in the EU and underlying business models that rely on such consent.
Background
Under the ePrivacy Directive, storing or accessing information on users’ devices via cookies or other similar technologies is, with a few limited exceptions, only allowed with the user’s consent. The e-Privacy Directive looks to the GDPR for what constitutes valid consent. Under the GDPR, consent must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.
Planet49 is an online lottery provider using cookies for marketing and advertising purposes. To participate in the lottery, a user was required to enter his zip code, which prompted a page containing fields for the user’s name and address. Below the fields were two sets of checkboxes and a participate button:
- The first—unticked—checkbox allowed users to consent to receiving marketing from third parties. That box had to be ticked for a user to participate in the lottery.
- The second—pre-ticked—checkbox granted a user’s consent to cookies.
- If the user clicked the participation button and the first checkbox, he/she was deemed to have consented to the installation of cookies as that box was pre-ticked.
The Federation of German Consumer Organisations sued Planet49 before German courts arguing that the consent obtained by Planet49 for the use of cookies did not meet EU data protection law. The case was ultimately referred to the CJEU on certain points of law, in particular whether the use of a pre-ticked checkbox constitutes valid consent to collect data through cookies, what information the user should receive to meet the consent requirements of the ePrivacy Directive, and whether it makes a difference if the information stored or accessed through cookies constitutes “personal data.”
Key Takeaways of the Opinion
While the opinion is not binding, it includes a number of interesting points:
- Pre-ticked checkboxes do not constitute valid consent. According to the AG, users must actively consent to the use of cookies; a user that remains passive by not unticking a checkbox does not provide a valid consent. The AG goes on by stating that consent must be explicit; not implied. The AG’s rationale is that with a pre-ticked checkbox, it is impossible to determine objectively whether or not a user has freely given informed consent.
- Consents for different processing activities must be separate. Consent to cookies must be separate from consent for other processing activities. Planet49 obtained consent for two different processing activities (participation in the lottery and consent to the installation of cookies) through a single click on the participation button. The AG found that this consent was bundled and thus invalid as it was not specific enough.
- The consent requirement of the GDPR applies to the use of cookies whether or not the cookies are personal data. According to the AG, there is no difference whether the information stored or accessed through cookies constitutes personal data. The consent requirements apply to the storing or accessing of information on users’ devices via cookies or other similar technologies regardless of whether they involve personal data.
- Valid consent requires clear and comprehensive information. Users must be able to understand what their consent covers, and in particular the consequences of any consent they may grant. The AG opined that the technical complexity of cookies creates an asymmetry of information and that average users cannot be expected to have a high level of knowledge of how cookies operate. As a consequence, companies must provide clear, comprehensive, and unambiguous information to users, in particular information on the lifespan of the cookies and the identity of the third parties that gain access to the cookies (and data collected through them).
Conclusion
It remains to be seen whether the CJEU will follow the opinion. The CJEU is expected to issue its judgment in the following months, but a specific date has not been made public yet. This case, together with the Fashion ID CJEU case, is likely to have a significant impact for all parties involved in the ad tech sphere. If the CJEU adopts the positions taken by the AG, companies may have to change their cookie consent practices. Website publishers and ad tech companies should monitor these cases closely as they are likely to shape market practices in the EU for the foreseeable future.
[1] Opinion of Advocate General Szpunar in Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände— Verbraucherzentrale Bundesverband e.V. (Case C‑673/17), March 21, 2019.