On March 21, 2019, Advocate General Szpunar released his opinion in the Planet49 case, currently pending before the Court of Justice of the European Union (CJEU).  The case centers on the use of consent for the processing of personal data and consent for the use of cookies.

Planet49 GmbH offered an online lottery service for which interested users had to register.  The registration form asked users to tick a box allowing Planet49 GmbH to share their data with commercial partners.  Ticking this box was mandatory to participate in the lottery.  A second pre-ticked box allowed users to opt-out from the use of cookies (by unticking the box).  If they chose to opt-out, they could still participate in the lottery.

In the Advocate General’s view, the pre-ticked box for cookies does not provide a valid active consent under the GDPR nor under the ePrivacy Directive.  Moreover, he considers that the ePrivacy Directive’s consent requirement for cookies applies irrespective of whether the collected data qualify as personal data.  Furthermore, the consent here is not “separate” because, unless users uncheck the cookie box, they grant consent for cookies merely by clicking the “participate” button.  This argument is reinforced by the fact that users are apparently not informed of the option to uncheck that box.  According to the Advocate General, the cookie consent is presented as an ancillary consent that users have to go through if they wish to participate, when in fact the two separate consents – for cookies and for participation to the lottery – should be presented on an equal footing.  The Advocate General concludes that the German “Telemediengesetz” does not appear to accurately transpose the ePrivacy Directive by allowing the use of pseudonymized cookie data for advertising purposes on the basis of an opt-out rather than an opt-in consent.

In respect of the data-sharing tick box, the Advocate General accepts – despite some doubts about the way it is presented – that the consent is an opt-in consent, given that it is not pre-ticked.  Importantly, however, he accepts that users can be forced to provide their consent in order to participate in the lottery.  Since the underlying purpose of the lottery is to sell personal data to commercial partners, consent is necessary for participation in the lottery (para 99).  In other words, this is not a prohibited bundling of consent per Art. 7(4) of the GDPR.  The collection and use of data in exchange for a (free) service can thus be based on a mandatory consent.  (Note that the referring court did not ask questions about this data-sharing tick box, so the CJEU does not have to address this point in its final decision.)  This begs the question: why can’t the use of cookies for a commercial purpose also be “necessary” for the provision of a service? If that were the case, no consent would be required and the validity of the cookie tick box becomes irrelevant.  And even if consent were required, why could the cookie consent not also be bundled with the participation in the lottery, if the cookies serve a similarly essential commercial purpose?

Finally, the Advocate General explains that users must receive clear information about the use of cookies.  This means that the information must indicate the life span of each cookie and identify all third parties that have access to the cookies.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.