ECJ case to settle what should be common sense on cookie consent

This week ECJ Advocate General Maciej Szpunar issued his Opinion on the Planet 49 Case – a case dealing with issues which should have been sufficiently clear not to bother the Court in the first place. Namely, it is about (a) pre-checked boxes as means to collect consent for placing cookies and (b) if, under the ePrivacy Directive, the same consent conditions are applicable irrespective whether the storing and gaining access to information on a user’s equipment means processing personal data or not and (c) what is clear and comprehensive information about cookies. The case started in Germany in 2017, when the Data Protection Directive 95/46/EC (the “DPD”) was in force, but the preliminary questions regarding consent also refer to the GDPR.

According to the facts described in the AG Opinion, Planet 49 was organizing a promotional lottery on a website and presented 2 checkboxes to people when they wanted to participate:

1“I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sector. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here”
2“I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, Planet49 GmbH, sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on a user’s interests. I can delete the cookies again at any time. You can read more about this here.”

Checkbox 2: consent is not valid under the DPD or the GDPR

On the issue of the pre-ticked Checkbox no. 2, the AG is of the view that it does not constitute valid consent, neither under the DPD nor under the GDPR. Consent must be an active and unambiguous behaviour – these conditions are not met in the case of a pre-formulated text which requires a person to actively object to it (i.e. to uncheck the box). More so, consent for placing cookies must be separate and cannot be inferred from other types of user behaviour such as reading a web page, clicking on a button to participate in the lottery or watching a video. In other words, if you did not uncheck box no. 2, but hit the button to participate in the lottery, this last action would signify both consent for cookies and consent for the lottery – which is ambiguous. The same principles regarding consent also apply under the GDPR.

The AG also took the opportunity to provide clarifications on what cookies represent and underlined some useful principles on the topic of placing cookies. Although cookies can be categorised according to their lifespan or the domain they belong to, the AG says that “The validity of consent to the placement of cookies and the applicability of any relevant exemptions, however, should be evaluated based on the purpose of the cookie rather than the technical features.”

Checkbox 1: national court to assess whether participation in the lottery can be conditioned on consent

The AG considers that the national court must assess whether the processing of personal data can be considered necessary for the participation in the lottery. If so, Planet 49 can validly condition the participation on the person’s agreement that their personal data be processed for sending promotional offers. In other words, it could be that obliging users to tick box no. 1 before they can hit the button to participate in the lottery is lawful.

However, we point out that this is not an issue of consent per se. It is quite misleading to ask someone to check a box, as if asking for consent, when the processing of personal data would in fact be necessary for the performance of a contract with the data subject.

Placing cookies and processing personal data

The accessing of data from cookies placed by Planet 49 constitutes processing of personal data – this is an uncontested aspect of the case. Still, the referring national court asks whether, from the standpoint of the ePrivacy Directive requirements on consent, it makes a difference if the information stored or accessed constitutes personal data.

This question seemingly arose because of the way in which the German law transposed the ePrivacy Directive. The German Telemedia Act (TMG) article 15(3) suggested that the requirements on consent under the DPD/GDPR would not apply if the information stored and accessed would not constitute personal data.

The AG clarifies that, under the ePrivacy Directive, the conditions for valid consent (as provided by the DPD/GDPR) apply to any storing and accessing of information on a person’s device, irrespective of such information being personal data or not.

What constitutes clear and comprehensive information about cookies?

What kind of information should have Planet49 provided to users in order to obtain informed consent for placing cookies? The AG says that the functioning of cookies is technically complex and that “the average internet user cannot be expected to have a high level of knowledge of the operation of cookies”.

Clear and comprehensive information on cookies means that the user can “easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions.” From a practical perspective this means that:

  • the user must receive information about the lifespan of the cookies; and
  • whether third parties have access to the cookie information or not (if yes, then such third parties must be identified).

Of course, we underline that points (a) and (b) above must be presented together with the purposes of the cookies. See this presentation by a representative of the Spanish Data Protection Authority on providing information to users about cookies (available in Spanish).

Case-law generated by incorrect transpositions of the ePrivacy Directive?

Just reading the ePrivacy Directive, it is surprising that the German referring Court felt the need to send preliminary questions to the ECJ at all. However, as the AG indicated in para. 109 of its Opinion, “it does appear as if Article 15(3) of the TMG does not fully transpose the requirements of Article 5(3) of Directive 2002/58 into German law” and this is connected to the need for sending a preliminary question on whether it makes a difference under the ePrivacy Directive requirements on consent if the information stored or accessed is personal data.

For example, the Romanian ePrivacy Law “forgot” to transpose an essential detail resulting in the fact that lawyers have to make additional interpretation steps to reach a basic conclusion. Namely, the Romanian ePrivacy Law did not transpose at all the definition of consent which is provided in Art. 2(f) in the ePrivacy Directive and which states that ‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC. The Romanian ePrivacy Law merely states as a general provision that it shall be supplemented by the Romanian Data Protection Law (which had in the past transposed the DPD and is presently replaced by the GDPR). Obviously, since the ePrivacy Directive refers to consent in the former DPD, which has been replaced by the GDPR, it follows that consent for cookie placement is the same consent regulated under the GDPR, and that this standard applies even where there is no processing of personal data through those cookies.

Unfortunately, transposition errors such as the one in the Romanian ePrivacy Law and seemingly the one in the German Telemedia Act give rise to debates on issues which should have already been settled.

One Response