Privacy

New EU Cookie Consent Recommendation from Advocate General

Published: Apr. 05, 2019

Updated: Oct. 05, 2020

On March 21, 2019, Advocate General Maciej Szpunar (“Advocate General” or “AG”) of the Court of Justice of the European Union (“CJEU”) issued an opinion in which he recommended that the Court rule that pre-checked boxes do not constitute consent and that consent is required to use cookies for certain purposes, even if the information they store or access is not “personal data”. He also voiced some approval for forcing users to consent to third-party direct marketing as a condition of participating in a lottery.

Although the AG’s opinion is non-binding, it serves as a reminder to companies subject to laws implementing the EU ePrivacy Directive that they must obtain consent to use non-essential cookies and that such consent must meet the consent specifications set out in the EU General Data Protection Regulation (“GDPR”) that consent be freely given, specific, informed, and unambiguous.

Background

This case involved an online lottery run by Planet49. To participate in the lottery, Planet49 offered would-be lottery participants two checkboxes. The first checkbox (which was not pre-checked) requested user consent to being contacted by lottery sponsors and other partners with promotional offers. The other checkbox (which was pre-checked) requested user consent to cookies being installed on his/her computer by a web analytics and advertising service provider engaged by Planet49. 

Pre-checked boxes are not consent

In the Advocate General’s view, the second pre-checked box effectively created one consent for two purposes, so the consent was not valid because it did not require that users actively and separately consent to the installation of cookies. This meant that consent could not be considered to be freely given. 

Valid cookie consent must be based on clear information

Also, because users were not told that they could participate in the lottery without consenting to the cookies, the AG found that the second checkbox consent was not sufficiently informed. The AG also found that the consent process was deficient because users were not given information about the “duration of operation” of the relevant cookies or about whether third parties could access the cookies.

Bundling consent may sometimes be OK

The AG’s comments about the first checkbox are more out of the ordinary. In a passage that proponents of cookie walls might appreciate, the AG found no problem with Planet49’s practice of requiring users to consent to sale of their data as a condition of entering the lottery. GDPR Article 7 says:

“When assessing whether consent is freely given, utmost account shall be taken of whether…the performance of a contract … is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

Earlier consent guidance from the Article 29 Working Party addressed this GDPR provision by saying that there needs to be a direct and objective link between the processing of personal data and the purpose of the contract. The AG said he thought this condition has been satisfied because “the underlying purpose in the participation in the lottery is the ‘selling’ of personal data (i.e. agreeing to be contacted by so-called ‘sponsors’ for promotional offers)” and, thus, “it appears…that the processing of this personal data is necessary for the participation in the lottery.”

However, the AG also noted that he had “some doubts about separate consent” and commented that “it would be better if… there were a separate button to be clicked.”

Consent to certain cookies is required regardless of whether they contain personal data

The Advocate General further noted that consent is required to use cookies on a user’s device for certain purposes (e.g., advertising), regardless of whether the information they store or access is “personal data.” It is interesting to read this opinion in connection with a recent opinion from the European Data Protection Board (“EDPB”), released on March 12, 2019. In that opinion, the EDPB analyzed the interplay between the ePrivacy Directive and the GDPR. The EDPB discussed the overlap between Article 6 of the GDPR, which requires a legal basis for processing personal data, and Article 5(3) of the ePrivacy Directive, which requires consent before placing cookies on a data subject’s device. Because the ePrivacy Directive requires consent to use certain types of cookies (regardless of whether the cookies contain personal data), the ePrivacy Directive’s requirement for consent must prevail, even though legal bases other than consent (e.g., legitimate interest) might otherwise have been permitted by the GDPR if cookies were not involved.