Who: Advocate General Szpunar (the AG), Planet49 GmbH (Planet49)
When: 21 March 2019
Law stated as at: 30 April 2019
This German case, which was referred to the CJEU for a preliminary ruling from the German Federal Court of Justice (Bundesgerichtshof), revolves around a lottery organised by Planet49 which presented individuals with two tick boxes before they could participate. The first required the user to consent to direct marketing from a range of third parties (this tick box was not pre-ticked) and the second required the user to consent to cookies (this box was given a pre-selected tick). The second tick box did not make it clear that users did not have to consent to cookies in order to participate in the lottery, nor did it clarify how users could subsequently withdraw their consent to cookies.
Although this case was brought before GDPR came into force, the resulting Opinion from the Advocate General of the CJEU also considers consent under the GDPR regime and advises on ongoing compliance in this area and is one of the first examples of an authority reviewing and considering the standard of consent required under GDPR.
Although this was not the subject of the referral, the AG explained that consent obtained through the first tick box was not fully informed because it did not clarify that participation in the lottery was conditional upon the user consenting to direct marketing in the first tick box. As such, it would not be valid under GDPR.
In relation to the second tick box, the AG stated that consent is not active (and therefore does not comply with GDPR requirements) if the user has to untick a box to “not” consent to cookies. The AG reinforced the position under GDPR that inaction (i.e. continuing to browse or not unticking a box) is insufficient to demonstrate consent, which means that a number of entities will need to review (and revise) their cookie banners and cookie consent wording to ensure that any consent is active, rather than passive. This is yet another indication that browser wrap consent is unsustainable under GDPR.
The AG also stated that, in order for the cookie consent to be valid, it must inform users about:
- The duration of the operation of the cookies;
- Whether any third parties have access to the cookies; and
- If so, the identity of the third parties.
Why this matters:
The CJEU will now issue a judgment to the Germany courts and it will be interesting to see whether the judgment follows the same arguments as the AG Opinion.
In some respects, this Opinion simply reinforces what we already know about consent under the GDPR regime – that consent needs to be active and unbundled. However, it does add weight to the view (supported by recent regulator guidance and enforcement) that cookie consent under the E-Privacy Directive does need to comply with GDPR consent requirements. This is further reinforced in the UK by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419), which imposes GDPR standards of consent for cookies from 29 March 2019.