EU Advocate General Issues Opinion on Consent for Cookies and Intersection with the GDPR

By Kristof Van Quathem & Anna Sophia Oberschelp de Meneses on March 22, 2019

Posted in Data Privacy, EU Data Protection, European Union, Privacy Policies

On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU). The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered an online lottery service for which interested users had to register. The registration form asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners. Ticking this box was mandatory to participate in the lottery. A second pre-ticked box allowed users to opt-out from the use of cookies (by unticking the box). If they chose to opt-out, they could still participate in the lottery.

In the Advocate General’s view, the pre-ticked box for cookies does not provide a valid active consent under the GDPR nor under the ePrivacy Directive. Moreover, he considers that the ePrivacy Directive’s consent requirement for cookies applies irrespective of whether the collected data qualify as personal data. Furthermore, the consent here is not “separate” because, unless users uncheck the cookie box, they grant consent for cookies merely by clicking the “participate” button. This argument is reinforced by the fact that users are apparently not informed of the option to uncheck that box. According to the Advocate General, the cookie consent is presented as an ancillary consent that users have to go through if they wish to participate, when in fact the two separate consents – for cookies and for participation to the lottery – should be presented on an equal footing. The Advocate General concludes that the German “Telemediengesetz” does not appear to accurately transpose the ePrivacy Directive by allowing the use of pseudonymized cookie data for advertising purposes on the basis of an opt-out rather than an opt-in consent.

In respect of the data-sharing tick box, the Advocate General accepts – despite some doubts about the way it is presented – that the consent is an opt-in consent, given that it is not pre-ticked. Importantly, however, he accepts that users can be forced to provide their consent in order to participate in the lottery. Since the underlying purpose of the lottery is to sell personal data to commercial partners, consent is necessary for participation in the lottery (para 99). In other words, this is not a prohibited bundling of consent per Art. 7(4) of the GDPR. The collection and use of data in exchange for a (free) service can thus be based on a mandatory consent. (Note that the referring court did not ask questions about this data-sharing tick box, so the CJEU does not have to address this point in its final decision.) This begs the question: why can’t the use of cookies for a commercial purpose also be “necessary” for the provision of a service? If that were the case, no consent would be required and the validity of the cookie tick box becomes irrelevant. And even if consent were required, why could the cookie consent not also be bundled with the participation in the lottery, if the cookies serve a similarly essential commercial purpose?

Finally, the Advocate General explains that users must receive clear information about the use of cookies. This means that the information must indicate the life span of each cookie and identify all third parties that have access to the cookies.

Inside Privacy

About this Blog