On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive.
In particular, the AG opines that: 1) a pre-ticked checkbox that users must untick to refuse consent does not constitute valid consent; 2) consent for cookies should not be bundled with other consents; and 3) users must be informed about the cookies’ lifespan and the third parties accessing the cookies. AG opinions are not binding on the CJEU, but are often influential. If the CJEU follows the AG Opinion, it will likely impact widely-adopted cookie consent practices in the EU and underlying business models that rely on such consent.
Under the ePrivacy Directive, storing or accessing information on users’ devices via cookies or other similar technologies is, with a few limited exceptions, only allowed with the user’s consent. The e-Privacy Directive looks to the GDPR for what constitutes valid consent. Under the GDPR, consent must be freely given, specific, informed, and an unambiguous indication of the data subject’s wishes.
Planet49 is an online lottery provider using cookies for marketing and advertising purposes. To participate in the lottery, a user was required to enter his zip code, which prompted a page containing fields for the user’s name and address. Below the fields were two sets of checkboxes and a participate button:
- The first—unticked—checkbox allowed users to consent to receiving marketing from third parties. That box had to be ticked for a user to participate in the lottery.
- The second—pre-ticked—checkbox granted a user’s consent to cookies.
- If the user clicked the participation button and the first checkbox, he/she was deemed to have consented to the installation of cookies as that box was pre-ticked.
Key Takeaways of the Opinion
While the opinion is not binding, it includes a number of interesting points:
- Consents for different processing activities must be separate. Consent to cookies must be separate from consent for other processing activities. Planet49 obtained consent for two different processing activities (participation in the lottery and consent to the installation of cookies) through a single click on the participation button. The AG found that this consent was bundled and thus invalid as it was not specific enough.
- Valid consent requires clear and comprehensive information. Users must be able to understand what their consent covers, and in particular the consequences of any consent they may grant. The AG opined that the technical complexity of cookies creates an asymmetry of information and that average users cannot be expected to have a high level of knowledge of how cookies operate. As a consequence, companies must provide clear, comprehensive, and unambiguous information to users, in particular information on the lifespan of the cookies and the identity of the third parties that gain access to the cookies (and data collected through them).
It remains to be seen whether the CJEU will follow the opinion. The CJEU is expected to issue its judgment in the following months, but a specific date has not been made public yet. This case, together with the Fashion ID CJEU case, is likely to have a significant impact for all parties involved in the ad tech sphere. If the CJEU adopts the positions taken by the AG, companies may have to change their cookie consent practices. Website publishers and ad tech companies should monitor these cases closely as they are likely to shape market practices in the EU for the foreseeable future.
 Opinion of Advocate General Szpunar in Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände— Verbraucherzentrale Bundesverband e.V. (Case C‑673/17), March 21, 2019.