Cookies: European Court Clarifies Key Issues on Consent

By Huw Beverley-Smith & Jonathon A. Gunn | Faegre Baker Daniels LLP

On 21 March 2019, an advocate general (AG) of the Court of Justice of the European Union (CJEU) delivered an opinion that sheds light on key issues related to websites’ use of cookies — data packets that can be used by websites to track individuals’ browsing histories and other data.

Thiss followed a request for a preliminary ruling from the Federal Court of Justice in Germany (FCJ) regarding the ways in which cookie consent is structured online. The role of an AG is to assist the CJEU by considering submissions to the court in cases that raise a new point of law and to deliver an impartial opinion to the court on the legal solution. While free to take a different view, the CJEU often follows AG opinions when delivering its definitive judgments, and so the AG opinion provides insight into how courts interpret important questions around cookie consent as this issue attracts increased regulatory scrutiny.

Background
The case, Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V, involved a German company that organized a promotional lottery at a German domain web address. The website used two checkboxes beneath the webforms which collected personal data. The first checkbox (which was not pre-ticked) requested consent to general data processing for marketing purposes. The second checkbox (which was pre-ticked) sought consent for the use of web analytics and the setting of cookies. The Federation of German Consumer Organizations launched proceedings against the website owner because of its failure to stop using the checkboxes.

The FCJ then requested a preliminary ruling from the CJEU. On 21 March 2019, the AG delivered his opinion.

AG Opinion
In the opinion, the AG considered three questions that shed light on how courts may interpret matters relating to cookie consent.

1. Can a pre-ticked checkbox constitute valid user consent to the use of cookies?

Under the ePrivacy Directive and the General Data Protection Regulation (GDPR), consent must be “active,” “unambiguous” and “separate.” Accordingly, the AG opinion concludes that requiring a user to deselect a pre-ticked box does not satisfy the requirement for active consent. Pre-ticking a consent box makes it virtually impossible to determine objectively whether a user has consented. More importantly, participating in a service and the giving of consent cannot form part of the same act. In such a case, a user cannot freely give separate consent to the use of cookies.

2. Does it make a difference if the cookie stored or accessed constitutes personal data?

It makes no difference whether cookie information constitutes personal data. The ePrivacy Directive refers only to the storing of “information,” regardless of whether this also constitutes personal data under the GDPR.

3. What information must be given to the user regarding the use of cookies?

For information to be “clear and comprehensive,” as required by the ePrivacy Directive, users must be explicitly informed whether third parties have access to the cookies set and, if so, those third parties must be named. In addition, the duration of the operation of the cookies must be clearly stated. More generally, information about cookies must be presented in a way which allows a user “to be able to easily determine the consequences of any consent he might give…[and] to be able to assess the effect of his actions.”

Separately, the AG also addressed the issue of making service provision conditional on obtaining consent. One of the factors to consider when determining if consent is “freely given” is whether the user can access the service provided without consenting to the processing of personal data (i.e., consent bundling). The prohibition on bundling is not absolute: the key factor is the “underlying purpose” of the service provided. Where the service is conditional on consent, the personal data being processed must be essential to the underlying purpose of the provision of that service.

In Planet49 GmbH, the underlying purpose of participation in the lottery was the “selling” of personal data (i.e., the user agreeing to be contacted for promotional offers through the first checkbox). The user’s main requirement to participate in the lottery was providing the personal data requested by the data fields. Consequently, the processing of this personal data was “necessary” for the participation in the lottery and, therefore, not regarded by the AG as a breach of the requirement for consent to be freely given.

What Does This Mean for Your Business?
Assuming the CJEU endorses the AG’s conclusions, there are several important takeaways:

• Cookie policies should be reviewed to ensure they expressly state (1) whether third parties have access to the cookies set and, if so, the identity of those third parties, and (2) the duration of the cookies set.
• Cookie banners which operate on the basis that “by continuing to browse this website, you are consenting to the use of cookies” (or equivalent) must be revised to implement an express opt-in consent approach.
• IT teams should confirm that no cookies are set until after an express opt-in consent is obtained.
• Where provision of or access to a service is conditional on consent, ensure you can justify the collection of that specific personal data as being necessary for the provision of the service you offer.
• EU court authorities have reference to the guidance produced by the Article 29 Working Party (now the European Data Protection Board (EDPB)). While acknowledging the guidance is non-binding, the AG referred to their work as “enlightening.” Accordingly, while the guidance can sometimes seem impractical, it must be taken seriously when planning compliance initiatives.

Wider Context
EU regulators are increasing their focus on cookies compliance — whether for online behavioral advertising or in broader applications. As an example, the Bavarian data protection authority in Germany recently conducted an audit of the cookie practices of 40 large companies across a range of sectors. Not one of the audited companies’ cookie practices were found to be compliant and fines may follow. The EDPB is also determined to push EU legislators to finalize a new ePrivacy Regulation this year to replace the current ePrivacy Directive. This could see significant changes to cookie requirements.

With the flurry of GDPR compliance activity in 2018, a review of cookie practices often took a back seat for many businesses. Prompted by regulatory scrutiny, this must change in 2019.

Compliments of Faegre Baker Daniels LLP, a member of the EACCNY