On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).
The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’
The underlying case submitted by the German Federal Court of Justice (Bundesgerichtshof) to the European Court of Justice (CJEU)
Planet49 GmbH offers an online lottery service that requires users to register prior to participating. The registration form required users to tick a box allowing Planet49 GmbH to share their data with commercial partners as a condition of participating in the lottery (i.e. it was not possible to register without ticking the box). A second pre-ticked box on the same page allowed users to opt-out from the use of cookies (by unticking the box). Opting-out of the cookies still allowed users to participate in the lottery.
In connection with proceedings brought by the Federation of German Consumer Organisations (the Bundesverband der Verbraucherzentralen) in relation to this registration process, the German Federal Court of Justice referred the following questions to the CJEU:
(1) Is a pre-ticked box that a user must deselect to refuse his consent valid consent for the use of cookies?
(2) What constitutes “clear and comprehensive” information about the cookies used and does this include the duration of the operation of the cookies and whether third parties are given access to cookies?
These questions were considered both in the context of the ePrivacy Directive and the GDPR.
Opinion by Advocate General Szpunar
Question 1
In relation to the first question, the Advocate General considers that whether consent is ‘freely given’ and ‘informed’ is crucial for the questions submitted by the German Federal Court of Justice. The Advocate General argues that ‘requiring a user to positively untick a box … does not satisfy the criterion of active consent’ as it would be impossible to determine objectively whether or not a user has unambiguously given his consent on the basis of a freely given and informed decision. This is because the pre-formulated text next to the box may or may not have been read and/or the user may have omitted to untick the box out of pure negligence. This ambiguity, the Advocate General argues, can only be removed with active, as opposed to passive, behavior, such as ticking an unticked box.
Further, and in the opinion of the Advocate General ‘more importantly’, the participation in a service and the giving of consent to the installation of cookies ‘cannot form part of the same act’. In the Planet49 registration process, the user only has to click once on the “participation” button to participate in the lottery and consent to the installation of cookies. The Advocate General considers that this does not conform to the notion of “freely given” separate consent, as the consent for the two actions should be presented separately (albeit “on an equal footing”). Moreover, even though participation in the lottery was not conditional upon giving consent to the installation of, and gaining access to, cookies, the Advocate General argues that at no point was the user informed of this and accordingly the consent collected was not ‘fully informed’.
In response to a further question linked to question 1, the Advocate General confirms that any ‘information’ stored or accessed in connection with the use of cookies has a privacy aspect to it. Therefore, it makes no difference in applying the cookie consent rule under the e-Privacy Directive whether the information stored or accessed is personal data or not.
Separately, the Advocate General considers whether the fact that users are forced to provide their consent to data sharing in order to participate in the lottery is acceptable. Based on the facts, the Advocate General considers that the underlying purpose of the lottery is to share personal data with commercial partners who provide promotional offers. As a result, such sharing of data is necessary for participation in the lottery and does not constitute a prohibited bundling of consent under Article 7(4) of the GDPR.
Question 2
In relation to the second question, the Advocate General argues that due to the technical complexity of cookies, the asymmetrical level of knowledge between provider and user and the relative lack of knowledge of any average internet user, internet users cannot be expected to have a high level of knowledge of the operation of cookies.
Therefore, a user must be provided with information that is ‘clearly comprehensible’ and not ‘subject to ambiguity or interpretation’ as well as ‘sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to’. This enables the user to determine the consequences of any consent given. The Advocate General argues that this includes information both about the duration of the operation of the cookies and also whether third parties are given access to the cookies (in which case the identity of the third parties must be disclosed).
Our take
Assuming that the CJEU follows the opinion issued by Advocate General Szpunar, this opinion provides useful clarification on the requirements of consent and in particular what constitutes ‘freely given’ and ‘fully informed’ consent and the fact that consent to the collection and use of data can be a condition of using a (free) service notwithstanding the general restrictions on conditional consent in the GDPR.
The Opinion also makes it clear that companies must ensure that the information that they provide about their cookie usage is sufficiently detailed so as to enable the user to comprehend the functioning of the cookies, including both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies. Rather unhelpfully, however, the Opinion does not explain how to reference the relevant third parties and how website operators are expected to collect GDPR-complaint consent on behalf of these third parties. Therefore, the key question in the adtech space at the moment remains unanswered.
