The European Data Protection Board recently released an opinion on this topic (as we discuss here), and on 21 March the Court of Justice of the European Union (CJEU) released Advocate-General Szpunar’s opinion in the case of Planet49 (C-673/17), which discusses the requirements for valid consent, in the context of both cookies under the e-Privacy Directive and more general data processing under the GDPR.
The referring German court asked a number of questions, including in particular whether consent based on a pre-checked box is valid under Article 6(1)(a) GDPR or Article 5(3) of the e-Privacy Directive.
The AG does not throw any serious curveballs in its description of the requirements for consent under the GDPR, and states that the standard for consent under the e-Privacy Directive is the same as that under the GDPR. For consent to be valid, it must be:
- “active” (i.e., involving a positive action);
- “separate” (i.e., the positive action must be limited to giving consent, and not anything else); and
- “informed” (i.e., with sufficient information to understand the consequences of consent being given).
On that basis, it is unsurprising that the AG considers that the consent obtained by Planet49 for cookies through the second checkbox was not valid. The act of giving consent was neither active (the box was pre-checked), nor separate (the action to indicate consent was the same as the action to participate in the lottery).
The AG goes further in relation to the importance of separate consent in its assessment of the first checkbox. Even though the first checkbox was not pre-ticked, the AG indicated that “it would be better if, figuratively speaking, there was a separate button to be clicked”. This seems to indicate that the AG would prefer to see separate screens for users to click through to indicate their consent, rather than relying on checkboxes.
Interestingly, the AG clearly indicates in relation to both checkboxes that Planet49 should have made clear whether or not giving consent is a condition of a service. This raises the possibility of a fairly liberal interpretation of Article 7(4) GDPR, which states that to determine whether consent is freely given, utmost account must be taken of whether consent is a condition of a service. The AG specifically states that Article 7(4) does not constitute an absolute prohibition on bundling consent with other services, and even goes so far as to say that consent to the sharing of personal data with third party sponsors is, in its opinion, likely to be necessary for participation in the lottery (but leaves the final determination of this to the referring court).
In principle, therefore, the AG seems to suggest that it would be open for companies to argue that consent is a necessary condition of a service, if the “payment” to use that service is use of an individual’s personal data. However, the AG does not elaborate on whether this interpretation only applies on the basis that consent is required to send certain types of marketing messages in accordance with Article 13 of the e-Privacy Directive (which was the context of this request for consent from Planet49). In circumstances involving other processing of personal data, an alternative lawful basis such as contractual necessity or legitimate interests may still be more appropriate rather than requesting consent where use of personal data is a condition of a service.
While opinions from the AG are not binding, they generally provide an indication of how the CJEU will rule on a given case. The strict interpretation of the requirements for obtaining opt-in, separate consent for cookies is in keeping with statements from supervisory authorities, but it remains to be seen exactly how the cookie will crumble with respect to arguing that consent can be a condition of a service, not only in the CJEU’s final ruling but in the application of that ruling by supervisory authorities as well.
Authored by Paul Maynard and Elizabeth Campion (Knowledge Paralegal)