Out-Law News | 25 Mar 2019 | 3:30 pm | 4 min. read
Advocate general Maciej Szpunar said reliance on pre-ticked boxes does not fulfil the requirements for obtaining consent to the use of 'cookies' under EU law, even if internet users are able to de-select the box and opt out or withdraw their consent at a later date.
In a non-binding opinion, Szpunar expressed the view that lottery organiser Planet49 had not obtained lottery participants' valid consent to cookies when it automatically selected an online cookie consent checkbox on their behalf.
"Requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent," Szpunar said. "In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable."
Cookies are small text files placed on an internet user's device. They are generated by a web page server, which is basically the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user's device interacts with the site.
The advocate general said that the consent requirements applicable to cookies apply regardless of whether the information being stored and accessed constitutes personal data. He also considered that the requirements for giving consent to the processing of personal data under the General Data Protection Regulation (GDPR) are the same as they were under previous EU data protection laws that the GDPR has replaced. The previous laws are applicable to the Planet49 case as the activity in dispute occurred prior to the GDPR taking effect.
Under the GDPR, consent from a data subject to the processing of their personal data must, in general, be freely given, specific and informed. It must also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action.
"In the end, a user only effectuates one click on the participation button in order to participate in the lottery," Szpunar said. "At the same time he consents to the installation of cookies. Two expressions of intention (participation in the lottery and consent to the installation of cookies) are made at the same time. These two expressions cannot both be subject to the same participation button."
"Indeed … the consenting to the cookies appears ancillary in nature, in the sense that it is in no way clear that it forms part of a separate act. Put differently, (un)ticking the checkbox on the cookies appears like a preparatory act to the final and legally binding act which is ‘hitting’ the participation button. In such a situation, a user is not in a position to freely give his separate consent to the storing of information or the gaining of access to information already stored, in his terminal equipment," he said.
"The duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should ‘always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done’," advocate general Szpunar said. "Even if the cookie is essential, the question of how intrusive it is must be examined against the surrounding circumstances for consent purposes. In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, service providers must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose."
"The duration of the operation of cookies relates to the explicit informed consent requirements regarding the quality and accessibility of information to users. This information is vital to enable individuals to make informed decisions prior to the processing… Since data collected by cookies must be eliminated once it is no longer necessary to achieve the original purpose, it follows that the time period for storage of data collected must be clearly communicated to the user," he said.
The CJEU is expected to issue its judgment in the case in the next few months. The court often, but not always, follows the non-binding opinions issued by its advocate generals. The case against Planet49 was brought by a German consumer rights body. Germany's Federal Court of Justice has asked the CJEU to clarify how EU law should be interpreted to help it resolve the dispute before it.