Under the EU ePrivacy Directive, an individual's prior and informed consent is generally required to drop cookies on or read cookies from his or her device. The degree to which cookie walls, banners and popups comply with these requirements has been the subject of some debate. In March 2019, an independent advisor to the EU's highest court, Advocate General Szpunar, issued an opinion regarding these notice and consent requirements in the case of Planet 49 GmbH (case C-673/17).
In the opinion, the Advocate General (AG) took the view that a pre-ticked cookie consent box did not fulfil the conditions for valid consent as the consent was neither active nor freely-given. Moreover, the AG determined that the act of providing consent must be separate from other actions, such as entering a competition. Finally, the AG concluded that the information provided to the user should include the duration of the cookies and whether third parties can access the cookies.
We examine this opinion and consider how it aligns with recent revisions to cookie consent proposals under the draft ePrivacy Regulation, which will replace the ePrivacy Directive.
Planet49, based in Germany, had organised a promotional lottery. Registration required entry of a person's postcode, which then prompted entry of that person's name and address. Underneath that prompt appeared two checkboxes. The first checkbox, which was mandatory for participation in the lottery, and sought consent to marketing from lottery sponsors and partners, was not pre-ticked. The second checkbox, which was voluntary for participation and sought consent to cookies for profiling purposes, was pre-ticked. Information was provided about the sponsors and partners, the functioning of the cookies and interests-based profiling, how to delete cookies, and how to contact Planet49 to revoke consents given.
A case brought by a consumers action group against Planet49 made its way through the German court system before being referred to the CJEU. The German Federal Court of Justice sought clarification on two key questions:
- Can pre-ticked boxes constitute valid consent to cookies, and is this answered differently under GDPR-standard consent?
- What scope of information, provided at the point of consent, is necessary to satisfy the "clear and comprehensive information" standard?
No valid consent
In AG Szpunar's view, pre-ticked boxes do not obtain valid consent from users. In particular:
- The standard of a clear affirmative action consenting to cookies requires active consent, both pre- and post-GDPR. This is especially the case given the 2009 amendments to the ePrivacy Directive, which replaced the informed opt-out consent model with an informed opt-in model.
- An act of dissent is not equivalent to an act of consent.
- The act of consent cannot form part of another act, such as entering the lottery. The consent to cookies must be expressed separately.
- Users lacked full information because Planet49 gave no suggestion that users could untick the pre-ticked second checkbox.
Interplay between ePrivacy and GDPR
AG Szpunar formed the opinion that it is irrelevant to the referred questions whether cookies constitute personal data. This is because the relevant provision of the ePrivacy Directive, Article 5(3), regulates the storage and access of "information", not just personal data. The scope of the GDPR does not therefore limit the scope of the ePrivacy Directive. This is noteworthy since organisations that rely on cookies should keep in mind that they are responsible for complying with the ePrivacy Directive in addition to the GDPR.
Technical information about cookies
According to the AG, the "clear and comprehensive information" that organisations should provide must include information on the duration of operation of the cookies (ie their expiry periods) and details on third party access. A user should be easily able to determine the consequences of his or her consent. The average internet user is relatively uninformed regarding the operation of cookies, and organisations must provide sufficient information on that basis.
What this means
The CJEU will now consider the referral and the AG's opinion. While the CJEU tends to follow AG opinions in issuing its judgment, it is not always the case. In some instances, the CJEU adopts some of the principles of the AG's opinion but ultimately applies them in a different manner. Equally, the CJEU may decide that addressing certain points, which the AG chose to opine on, may not be necessary to answer the German court's questions. It may therefore choose not to express a view on such ancillary points.
Additionally, it remains to be seen whether the AG's opinion and, ultimately, the CJEU's judgment could raise questions around the validly of some commonly-used approaches to cookie consent. In particular, the AG considered whether consents could be 'bundled' and potentially be expressed by the same act. It will be interesting to see whether the CJEU chooses to adopt or expand upon this view, particularly in light of consents that are expressed by a user's decision to continue using or accessing a website. However, as the present case is one of stark non-compliance due to an unclear opt-out approach, the CJEU may avoid the issue of bundling. It is as yet unclear whether the CJEU judgment will have a far-reaching impact.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.