Cookies privacy consent under the GDPR was tested in the opinion of the EU Advocate General on the Planet49 case, opening interesting questions on the current regime.
On 21 March 2019, the EU Advocate General Szpunar delivered his opinion on the Planet49 case, an important case regarding the privacy rules applicable to cookies currently pending before the Court of Justice of the European Union (CJEU). And this is an interesting article on the topic initially published on Privacy Matters blog by my colleagues Patrick Van Eecke and Anne-Gabrielle Haie.
Planet49 and privacy cookies consent as a condition to participate to a lottery
Planet49, a company registered in Germany, hosted on its website a lottery. To participate in the lottery, a participant was required to enter his name and address. Beneath the input fields for the address were two sets of checkboxes.
The first checkbox was not pre-ticked, and it was meant for the participant to consent to being contacted by certain sponsors about their commercial offers. The second checkbox was pre-ticked, and it was meant for the participant to consent to have cookies placed on his device for the purposes of providing targeted ads to the participant.
According to the rules of the lottery, participation was only possible if the participant ticked at least the first checkbox.
The Bundesverband (Federation of German Consumer Organisations) ultimately instituted court proceedings against Planet49, claiming that the latter’s declarations of consent used for the lottery did not meet the necessary requirements of informed and freely given consent. The case reached Germany’s Federal Court of Justice, which then referred the case before the CJEU, seeking guidance on the interpretation of certain provisions of the EU ePrivacy Directive 2002/58, the EU Data Protection Directive 95/46,, and the EU General Data Protection Regulation 2016/679 (the GDPR).
In his opinion, the Advocate General interprets the notion of consent under the EU data protection and privacy legal framework, the scope of the ePrivacy Directive and the information to be provided to the data subject to obtain an informed consent.
Criteria for cookies privacy consent under the GDPR
It is important to note that the Planet49 case constitutes the first interpretation of the notion of cookies privacy consent under the GDPR. Although the facts occurred before the entry into application of the GDPR, the EU Advocate General applied the principles of the GDPR to the case considering that the Budesverband’s injuction also covered future behaviour from Planet49.
After assessing the conditions for valid consent under both the EU Directive 95/46 and the GDPR, the EU Advocate General came to the conclusion that there were no substantial differences between the two texts with regard to consent between the two regimes. He only noted that the GDPR is more explicit in laying down certain criteria.
The EU Advocate General emphasized that consent needs to be manifested in an active manner. It requires an unambiguous indication of the data subject’s wishes and a clear affirmative action signifying agreement to the processing of personal data. Consequently, he outlined that a simple inaction is insufficient but some sort of action is required to constitute consent.
Moreover, he stressed that for consent to be freely given and informed, it must not only be active, but also separate. Thus, the EU Advocate General considered that the activity that a user pursues on the internet and the giving of consent cannot form part of the same act. More specifically, the giving of consent cannot appear to be of an ancillary nature to the activity pursued on the Internet, but both actions must optically be presented on an equal footing. According to the EU Advocate General, it must be crystal-clear to a user whether the activity he pursues on the internet is contingent upon the giving of consent and the user must know whether and, if so, to what extent is giving of consent has a bearing on the pursuit of his activity on the internet. As a consequence, he expressed his doubts as to whether a bundle of expressions of intention, which would include the giving of consent, would be in conformity with the data protection legal framework.
In light of these principles, the EU Advocate General considered that Planet49 did not obtain valid consent to the placing of cookies on the lottery participants’ devices (second checkbox), as it fulfilled neither of the three criteria.
In this respect, the EU Advocate General stated that
- requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. In such a situation, he considered that it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box would make such an assertion far more probable;
- considered that a pre-ticked checkbox such as the second Planet49 checkbox (for cookies) did not fulfil the conditions of separate and informed consent, since the consenting to cookies was bundled together with the expression of intent to participate in the lottery, and the participant was apparently not informed of the fact that consenting to cookies was not mandatory for him to be able to participate in the lottery. The main question that he raised is whether the processing of personal data is necessary for the participation in the lottery as in his view would be case with reference to the lottery.
The ePrivacy Directive protects information rather than just personal data
The EU Advocate General further examined whether it makes a difference if the information stored by cookies constitutes personal data or does not constitute personal data.
The EU Advocate General’s answer to this issue is straightforward. He recalled that the wording of Article 5 (3) of the ePrivacy Directive refers to the
storing of information, or the gaining of access to information already stored
Therefore, the Advocate General questioned the correct transposition of the ePrivacy Directive in German law insofar as the requirements under German law are less strict if no personal data are involved. Depending on the CJEU’s ruling, Germany may thus need to review its national rules on cookie permissions to avoid any potential infringement actions.
3. Information to be provided to a user for a consent to cookies to be valid
The Advocate General stated that due to the technical complexity of cookies, the average Internet user cannot be expected to have a high level of knowledge of the operation of cookies. Therefore, he considered that the information provided must be, inter alia, sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to. According to the EU Advocate General, this includes both the duration of the operation of the cookies and the question of whether third parties are given access to cookies.
It is important to note that the EU Advocate General considered that the duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done. More specifically, he stated that even if a cookie is essential, the question of how intrusive it is must be examined against the surrounding circumstances for consent purposes (in other words, long-lasting necessary cookies might still require consent purely based on their lifespan). In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, service providers must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose.
The EU Advocate General made a particularly interesting point concerning the information about third parties. According to him, a user should be explicitly informed whether third parties have access to the cookies set or not, and if third parties have access, their identity must be disclosed.
Open challenges on privacy cookies consent of the Planet49 opinion
While the interpretation of the Advocate General as such does not come as a surprise, it casts some doubts on certain practices that have been accepted by the Data Protection Authorities. More specifically, it is unclear at this point whether the Advocate General’s interpretation of the notion of consent could be interpreted as prohibiting consent through further browsing and cookie walls.
This approach is not in line for instance with the Guidelines of the Italian data protection authority on cookies that can be read in this article “Cookies in Italy…, finally with guidelines!” creating an uncertainty as to whether such guidelines are still applicable under the GDPR