European Union: The Way The Cookie Crumbles: CJEU Clarifies European Data Protection Rules For The Use Of Cookies

On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a decision outlining the requirements for a user to consent to a service provider's use of cookies.^1, The Court held that active consent is required, and thus requiring a user to deselect a pre-checked tracking cookie notice in order to disallow the use of cookies does not sufficiently constitute consent to the collection and use of data under EU law.

The Case

In 2013, a German firm, Planet49, organized a promotional online lottery. In order to participate, users had to provide their contact information. Underneath the contact information input form, users were shown two checkboxes stipulating the users' consent to (i) Planet49 sharing the users' data with their advertising partners and (ii) Planet49 setting cookies to trace and evaluate the users' behavior on websites of their advertising partners. In order to participate in the lottery, users had to at least tick the first checkbox and permit Planet49 to share their contact information with its advertising partners. The second checkbox allowing Planet49 to set tracking cookies was pre-checked, but could be unchecked without an impact on the users' participation in the lottery. However, in order for the user to deny consent to the service provider's use of cookies, the user had to manually uncheck the second box.

A German consumer protection organization brought an action challenging this practice before the Frankfurt Regional Court. The Regional Court granted an injunction against Planet49, holding that the use of the first checkbox violated German laws on unacceptable telephone advertising (which require the target's specific consent to a given event, rather than the target's broad consent to the innumerable cases that the box covered), while the second checkbox regarding the use of cookies did not provide the user with sufficient information to provide informed consent. The Higher Regional Court of Frankfurt overturned this decision on appeal. It held that the plea for an injunction was unfounded because it was clear to users that they could deselect the box and because the information provided on the website was sufficient. On further appeal, the German Federal Court of Justice voiced doubts concerning the interpretation of EU data protection rules regarding consent to the collection and use of data and referred the case to the CJEU for a preliminary ruling.

The CJEU was asked to decide, in particular, whether a user could give valid consent to the use of cookies merely by not unchecking a pre-checked tick-box. Since the last hearing before the referring court was on July 14, 2017 – a few months before the General Data Protection Regulation (GDPR)² came into force – it was unclear whether the new rules should be taken into account when answering the German court's questions.

The Decision

As the proceedings concerned an order to refrain from future behavior, the Court decided to take into consideration both the pre-GDPR Directive 95/46³ (along with "ePrivacy Directive" 2002/58⁴ and "Cookie Directive" 2009/136⁵) and the GDPR.

1. Active consent (opt-in vs. opt-out)

When considering whether valid consent could be given using a pre-checked box, the Court conducted a thorough analysis of the wording and legislative context of Article 5(3) of the ePrivacy Directive. This provision provides that the user must have "given his or her consent." According to the CJEU, this wording alone implies that an affirmative action is required by the consumer.

Moreover, the Court found that the legislative history of Article 5(3) supports the notion that consent must be the result of an actively expressed decision by the user. Article 5(3) originally gave the user a "right to refuse." The Cookie Directive amended this right to require that the user "giv[e] his or her consent," which suggests that the user must take an affirmative action to express their consent. In this regard, the Court referred to Recital 17 of the ePrivacy Directive, which states that a user's consent can be given "by any appropriate method" enabling a "freely given [...] indication of the user's wishes, including by ticking a box when visiting an Internet website."

The Court also considered the definition of consent in Directive 95/46 (to which Recital 17 refers), describing the data subject's consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."⁶ The CJEU held that an "indication" of the consumer's wishes requires active, rather than passive behavior. In particular, the Court argued that – absent active user behavior – it would be practically impossible to ascertain whether the non-removal of the pre-checked box shows actual consent, or whether the user had simply not noticed or ignored the checkbox and the related information. According to Art. 7 of Directive 95/46, however, legitimate consent must be "unambiguously given," a condition that would not be fulfilled in this instance.

Referring to the GDPR which replaced Directive 95/46 as of May 25, 2018, the Court held that its interpretation applies a fortiori under the new law. Consent is defined even more stringently in Article 4(11) GDPR than it was in Directive 95/46, requiring that it must take the form of a "freely given, specific, informed and unambiguous" statement or other "clear affirmative action."

Consequently, only opt-in cookie notices, where the user has to actively agree to the collection and use of their information, meet the legal standard.

2. Informed consent

The CJEU further clarified that in order to meet the requirements of clear and comprehensive information under Article 5(3) of the ePrivacy Directive, the service provider would have to inform the user about the duration of the use of cookies and whether or not third parties may have access to those cookies.

3. No "personal data" requirement

Importantly, the CJEU further held that Article 5(3) of the ePrivacy Directive is not to be interpreted differently depending on whether or not the user information is personal data, because the Directive refers to "information", not personal data specifically. According to the Court, the ePrivacy Directive aims to protect the consumer from interference with his or her personal sphere. This means that where consent is needed,⁷ an opt-in model for the use of cookies or other tracking devices is mandatory, even if the cookies were not to collect personal data.

4. Adequacy of Germany's national implementation of the ePrivacy Directive

Separately from the main point of discussion, Advocate General Szpunar in his March 21, 2019 opinion⁸ seemed to indicate that Section 15(3) of the German Telemedia Act (TMG) falls short of European legal requirements and may not actually be an adequate implementation of Art. 5(3) of the ePrivacy Directive.⁹ Where Article 5(3) of the ePrivacy Directive requires consent, Section 15(3) TMG allows a service provider to create user profiles using pseudonymized data¹⁰ and to employ such data for marketing purposes, provided the user does not object – i.e., without the actively given indication of the user's wishes which the CJEU now regarded as necessary to constitute valid consent.

Thus far the German government considered Sections 12 and 15 TMG, in combination, to sufficiently implement Article (5)3 of the ePrivacy Directive¹¹. However, the Conference of German Data Protection Authorities (DSK)¹² disagrees and emphasizes, in particular, that the creation of user profiles under Section 15(3) TMG may involve the use of stored data such as cookies, so that Article 5(3) of the ePrivacy Directive applies – with the consequence that user consent would be required. ¹³ The mere possibility to object would be insufficient to voice such consent (as the CJEU now confirmed). While the Court itself did not further elaborate on that particular point of implementation, the Advocate General appears to agree with the DSK that Section 15(3) TMG does not "fully transpose" Article 5(3) of the ePrivacy Directive into German law.¹⁴

Outlook

While the CJEU has encouragingly clarified that consent requires an active opt-in (a position that has been the prevailing view in Germany for years), open issues remain. In particular, tying consent to the provision of a service (here: participation in the lottery) raises further questions. The CJEU only touched upon the issue of compatibility of such a coupling mechanism with the requirement that consent has to be freely given, but refrained from commenting on this dimension of the case since it was not part of the questions presented to it. The Advocate General in his opinion pointed to Article 7(4) GDPR, which requires that, when assessing whether consent is freely given, "utmost account" should be taken of whether the provision of a service is conditional on consent to the processing of data which is not necessary for the provision of such service. The Advocate General left this question to the competent courts but held that, as the purpose of participation in the lottery is the selling of personal data to sponsors, in his view, the provision of such personal data appears necessary for participation in the lottery.

In light of the Advocate General's view on the current shortcomings of Art. 15(3) TMG in agreement with the DSK, it remains to be seen whether further legislative activity will address these concerns in the future.

Footnotes

1 Verbraucherzentrale Bundesverband v. Planet49 (Case C-673/17) – available here.

2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,

4 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

5 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending, inter alia, Directive 2002/58/EC.

6 Art. 2(h) Directive 95/46/EC.

7 Art. 5(3) ePrivacy Directive also allows, without the user's consent, "technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service".

8 Advocates General are members of the CJEU who assist the Court by providing impartial opinions on the Court's cases. They do not take part in the decision-making and their opinions are not binding on the CJEU, but are generally understood to carry considerable weight. As a matter of principle, the opinion of an Advocate General is sought whenever a case concerns a new point of law.

9 Verbraucherzentrale Bundesverband v. Planet49 (Case C-673/17), opinion of Advocate General Szpunar – available here. The German Federal Court of Justice also indicated in its referring decision that there was no implementation act by the German legislator following the ePrivacy Directive.

10 Pseudonymized data still qualifies as personal data; cf. GDPR, Recital 26.

11 Responses of Member State Germany to European Commission Questionnaire on article 5(3) of the ePrivacy Directive, October 4, 2011, COCOM11-20 – available here.

12 The DSK is an independent council consisting of the German Federal and State data protection authorities. Its main task is to ensure a unified approach to national and European data protection law and guard the fundamental data protection rights. The DSK regularly issues guidelines, opinions and resolutions. While the DSK's decisions are not binding on the German government or courts, its views are considered authoritative for the lawful application of data protection law.

13 DSK Orientierungshilfe der Aufsichtsbehörden für Anbieter von Telemedien, March 2019 – available here.

14 Fn. 8. See in particular para. 109.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.