The case, Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V, involved a German company that organized a promotional lottery at a German domain web address. The website used two checkboxes beneath the webforms which collected personal data. The first checkbox (which was not pre-ticked) requested consent to general data processing for marketing purposes. The second checkbox (which was pre-ticked) sought consent for the use of web analytics and the setting of cookies. The Federation of German Consumer Organizations launched proceedings against the website owner because of its failure to stop using the checkboxes.
The FCJ then requested a preliminary ruling from the CJEU. On 21 March 2019, the AG delivered his opinion.
In the opinion, the AG considered three questions that shed light on how courts may interpret matters relating to cookie consent.
2. Does it make a difference if the cookie stored or accessed constitutes personal data?
It makes no difference whether cookie information constitutes personal data. The ePrivacy Directive refers only to the storing of “information,” regardless of whether this also constitutes personal data under the GDPR.
For information to be “clear and comprehensive,” as required by the ePrivacy Directive, users must be explicitly informed whether third parties have access to the cookies set and, if so, those third parties must be named. In addition, the duration of the operation of the cookies must be clearly stated. More generally, information about cookies must be presented in a way which allows a user “to be able to easily determine the consequences of any consent he might give…[and] to be able to assess the effect of his actions.”
Separately, the AG also addressed the issue of making service provision conditional on obtaining consent. One of the factors to consider when determining if consent is “freely given” is whether the user can access the service provided without consenting to the processing of personal data (i.e., consent bundling). The prohibition on bundling is not absolute: the key factor is the “underlying purpose” of the service provided. Where the service is conditional on consent, the personal data being processed must be essential to the underlying purpose of the provision of that service.
In Planet49 GmbH, the underlying purpose of participation in the lottery was the “selling” of personal data (i.e., the user agreeing to be contacted for promotional offers through the first checkbox). The user’s main requirement to participate in the lottery was providing the personal data requested by the data fields. Consequently, the processing of this personal data was “necessary” for the participation in the lottery and, therefore, not regarded by the AG as a breach of the requirement for consent to be freely given.
What Does This Mean for Your Business?
Assuming the CJEU endorses the AG’s conclusions, there are several important takeaways:
- Cookie policies should be reviewed to ensure they expressly state (1) whether third parties have access to the cookies set and, if so, the identity of those third parties, and (2) the duration of the cookies set.
- IT teams should confirm that no cookies are set until after an express opt-in consent is obtained.
- Where provision of or access to a service is conditional on consent, ensure you can justify the collection of that specific personal data as being necessary for the provision of the service you offer.
- EU court authorities have reference to the guidance produced by the Article 29 Working Party (now the European Data Protection Board (EDPB)). While acknowledging the guidance is non-binding, the AG referred to their work as “enlightening.” Accordingly, while the guidance can sometimes seem impractical, it must be taken seriously when planning compliance initiatives.
EU regulators are increasing their focus on cookies compliance — whether for online behavioral advertising or in broader applications. As an example, the Bavarian data protection authority in Germany recently conducted an audit of the cookie practices of 40 large companies across a range of sectors. Not one of the audited companies’ cookie practices were found to be compliant and fines may follow. The EDPB is also determined to push EU legislators to finalize a new ePrivacy Regulation this year to replace the current ePrivacy Directive. This could see significant changes to cookie requirements.
With the flurry of GDPR compliance activity in 2018, a review of cookie practices often took a back seat for many businesses. Prompted by regulatory scrutiny, this must change in 2019.