On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered an online lottery service for which interested users had to register.  The registration form asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners.  Ticking this box was mandatory to participate in the lottery.  A second pre-ticked box allowed users to opt-out from the use of cookies (by unticking the box).  If they chose to opt-out, they could still participate in the lottery.

In the Advocate General’s view, the pre-ticked box for cookies does not provide a valid active consent under the GDPR nor under the ePrivacy Directive.  Moreover, he considers that the ePrivacy Directive’s consent requirement for cookies applies irrespective of whether the collected data qualify as personal data.  Furthermore, the consent here is not “separate” because, unless users uncheck the cookie box, they grant consent for cookies merely by clicking the “participate” button.  This argument is reinforced by the fact that users are apparently not informed of the option to uncheck that box.  According to the Advocate General, the cookie consent is presented as an ancillary consent that users have to go through if they wish to participate, when in fact the two separate consents – for cookies and for participation to the lottery – should be presented on an equal footing.  The Advocate General concludes that the German “Telemediengesetz” does not appear to accurately transpose the ePrivacy Directive by allowing the use of pseudonymized cookie data for advertising purposes on the basis of an opt-out rather than an opt-in consent.

In respect of the data-sharing tick box, the Advocate General accepts – despite some doubts about the way it is presented – that the consent is an opt-in consent, given that it is not pre-ticked.  Importantly, however, he accepts that users can be forced to provide their consent in order to participate in the lottery.  Since the underlying purpose of the lottery is to sell personal data to commercial partners, consent is necessary for participation in the lottery (para 99).  In other words, this is not a prohibited bundling of consent per Art. 7(4) of the GDPR.  The collection and use of data in exchange for a (free) service can thus be based on a mandatory consent.  (Note that the referring court did not ask questions about this data-sharing tick box, so the CJEU does not have to address this point in its final decision.)  This begs the question: why can’t the use of cookies for a commercial purpose also be “necessary” for the provision of a service? If that were the case, no consent would be required and the validity of the cookie tick box becomes irrelevant.  And even if consent were required, why could the cookie consent not also be bundled with the participation in the lottery, if the cookies serve a similarly essential commercial purpose?

Finally, the Advocate General explains that users must receive clear information about the use of cookies.  This means that the information must indicate the life span of each cookie and identify all third parties that have access to the cookies.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

I assist companies in navigating EU laws on technology, with a focus on data protection, cybersecurity, and consumer protection. My goal is to make complex regulations, such as the GDPR, AI Act, Unfair Commercial Practices Directive, and Digital Services Act, more accessible and…

I assist companies in navigating EU laws on technology, with a focus on data protection, cybersecurity, and consumer protection. My goal is to make complex regulations, such as the GDPR, AI Act, Unfair Commercial Practices Directive, and Digital Services Act, more accessible and relevant to everyday business operations.

Regarding data protection and privacy, I guide businesses on GDPR, ePrivacy Directive, and EU marketing laws, covering topics like international data transfers and privacy-focused marketing. Regarding cybersecurity, I help with risk assessments, incident response planning, and staying informed about regulations such as NIS2 and the Cyber Resilience Act. Regarding consumer protection, I assist companies in ensuring their terms are enforceable, their online platforms clearly provide required information, and their practices comply with rules against banned commercial activities.

Fluent in several languages and experienced in international contexts, I am committed to integrating compliance smoothly into business operations, enabling companies to succeed in the dynamic digital environment.