The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’
The underlying case submitted by the German Federal Court of Justice (Bundesgerichtshof) to the European Court of Justice (CJEU)
In connection with proceedings brought by the Federation of German Consumer Organisations (the Bundesverband der Verbraucherzentralen) in relation to this registration process, the German Federal Court of Justice referred the following questions to the CJEU:
(2) What constitutes “clear and comprehensive” information about the cookies used and does this include the duration of the operation of the cookies and whether third parties are given access to cookies?
These questions were considered both in the context of the ePrivacy Directive and the GDPR.
Opinion by Advocate General Szpunar
In relation to the first question, the Advocate General considers that whether consent is ‘freely given’ and ‘informed’ is crucial for the questions submitted by the German Federal Court of Justice. The Advocate General argues that ‘requiring a user to positively untick a box … does not satisfy the criterion of active consent’ as it would be impossible to determine objectively whether or not a user has unambiguously given his consent on the basis of a freely given and informed decision. This is because the pre-formulated text next to the box may or may not have been read and/or the user may have omitted to untick the box out of pure negligence. This ambiguity, the Advocate General argues, can only be removed with active, as opposed to passive, behavior, such as ticking an unticked box.
Further, and in the opinion of the Advocate General ‘more importantly’, the participation in a service and the giving of consent to the installation of cookies ‘cannot form part of the same act’. In the Planet49 registration process, the user only has to click once on the “participation” button to participate in the lottery and consent to the installation of cookies. The Advocate General considers that this does not conform to the notion of “freely given” separate consent, as the consent for the two actions should be presented separately (albeit “on an equal footing”). Moreover, even though participation in the lottery was not conditional upon giving consent to the installation of, and gaining access to, cookies, the Advocate General argues that at no point was the user informed of this and accordingly the consent collected was not ‘fully informed’.
Separately, the Advocate General considers whether the fact that users are forced to provide their consent to data sharing in order to participate in the lottery is acceptable. Based on the facts, the Advocate General considers that the underlying purpose of the lottery is to share personal data with commercial partners who provide promotional offers. As a result, such sharing of data is necessary for participation in the lottery and does not constitute a prohibited bundling of consent under Article 7(4) of the GDPR.
In relation to the second question, the Advocate General argues that due to the technical complexity of cookies, the asymmetrical level of knowledge between provider and user and the relative lack of knowledge of any average internet user, internet users cannot be expected to have a high level of knowledge of the operation of cookies.
Therefore, a user must be provided with information that is ‘clearly comprehensible’ and not ‘subject to ambiguity or interpretation’ as well as ‘sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to’. This enables the user to determine the consequences of any consent given. The Advocate General argues that this includes information both about the duration of the operation of the cookies and also whether third parties are given access to the cookies (in which case the identity of the third parties must be disclosed).
Assuming that the CJEU follows the opinion issued by Advocate General Szpunar, this opinion provides useful clarification on the requirements of consent and in particular what constitutes ‘freely given’ and ‘fully informed’ consent and the fact that consent to the collection and use of data can be a condition of using a (free) service notwithstanding the general restrictions on conditional consent in the GDPR.
The Opinion also makes it clear that companies must ensure that the information that they provide about their cookie usage is sufficiently detailed so as to enable the user to comprehend the functioning of the cookies, including both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies. Rather unhelpfully, however, the Opinion does not explain how to reference the relevant third parties and how website operators are expected to collect GDPR-complaint consent on behalf of these third parties. Therefore, the key question in the adtech space at the moment remains unanswered.