29.03.2019

European Court of Justice - mandatory opt-in for cookies?

 

The Advocate General at the European Court of Justice (ECJ) Maciej Szpunar considers an opt-in for cookies when visiting a website for mandatory (Opinion of 21.03.2019 - Ref.: C-637/17). The proceedings are based on a German legal dispute at the Federal Court of Justice (BGH) of Planet49 GmbH against the  German Federal Association of Consumer Rights Agencies (Bundesverband der Verbraucherzentralen). The facts of the case were as follows:
On 24 September 2013, Planet49 GmbH organised a competition for advertising purposes at the website www.dein-macbook.de. In order to participate in the competition, the user had to enter his postcode. A page with input fields for the user's name and address was then displayed. Below the input fields for the address were two checkboxes with information texts. In the following I will refer to them as "first checkbox" and "second checkbox". The first text of the note, the checkbox of which did not have a default check mark, was as follows:
 
"I agree that some sponsors and cooperation partners may inform me by post, telephone or e-mail/SMS about offers from their respective business areas. I can determine these myself here, otherwise the selection is made by the organizer. I can revoke my consent at any time. Further information here".
 
The second text, which was provided with a preset checkmark, was as follows:
 
"I agree that the web analysis service Remintrex will be used by me. The consequence of this is that the organiser of the competition, Planet49 GmbH, sets cookies after registration for the competition, which enables Planet49 to evaluate my surfing and usage behaviour on the websites of advertising partners and thus to use Remintrex for interest-focused advertising. I can delete cookies at any time. Read more here".
 
Participation in the competition was only possible if at least the check mark was placed in the first checkbox. The electronic link, which was underlaid with the words "sponsors and cooperation partners" and "here" in the first notice text, led to a list containing 57 companies, their addresses, the business area to be advertised and the type of communication used for advertising (e-mail, post or telephone) as well as the underlined word "unsubscribe" after each company. The list was preceded by the following notice:
 
"By clicking on the 'Unsubscribe' link, I decide that no advertising consent may be given to the named partner/sponsor. If I have not or not enough partners/sponsors, Planet49 chooses partners/sponsors for me at its own discretion (maximum number: 30 partners/sponsors)".
 
The following information was displayed when clicking on the electronic link under the word "here" in the second note:
 
"The cookies set with the names ceng_cache, ceng_etag, ceng_png and gcr are small files that are stored on your hard drive by the browser you are using and through which certain information flows that enables more user-friendly and effective advertising. Cookies contain a specific random number (ID) that is also associated with your registration information. If you then visit the website of an advertising partner registered with Remintrex (please refer to the privacy policy of the advertising partner to find out whether a registration has been made), Remintrex will automatically record that you (i.e. the user with the stored ID) visited the site, which product you were interested in and whether a contract was concluded on the basis of an iFrame integrated there.
 
Planet49 GmbH can then send you advertising e-mails based on the advertising consent given when registering for the competition, which take into account your interests shown on the advertising partner's website. After a revocation of the advertising permission, you will of course no longer receive any e-mail advertising. The information transmitted by the cookies is used exclusively for advertising in which products of the advertising partner are presented. The information is collected, stored and used separately for each advertising partner. Under no circumstances will cross-advertising partner user profiles be created. The individual advertising partners do not receive any personal data. If you have no further interest in using cookies, you can delete them at any time via your browser. You will find instructions in the help function of your browser. Cookies cannot be used to execute programs or transmit viruses. Of course you have the possibility to revoke this consent at any time. You can send your revocation in writing to PLANET49 GmbH [address]. However, an e-mail to our customer service [e-mail address] is also sufficient."
 
The question arises as to whether this procedure was lawful. The courts of instance denied an infringement, as the law does not require an opt-in in data protection matters - unlike the sending of advertising messages. The clause was also sufficiently defined and transparent. The legal dispute finally reached the Federal Court of Justice, which referred several questions to the European Court of Justice:
 
Question 1: 
Is it sufficient in this context for effective consent that the checkbox is preselected and the user must actively deselect the consent if he does not want it?
 
Question 2:
Does it make any difference whether the information stored or retrieved is personal data?
 
Question 3:
Does the GDPR, which will come into force in May 2018, also provide effective consent?
 
Question 4:
What content information does the entrepreneur have to provide for the use of cookies? Does this also include the functional life of the cookies and the question of whether third parties have access to the cookies?
 
The Advocate General now gave the following answers to these questions in his Opinion:
Answer to 1:
"In a situation such as that in the main proceedings, in which the storage of information or access to information already stored in the user's terminal device is permitted by a default checkbox which the user must deselect in order to refuse his consent, and in which consent is not given separately, but at the same time as confirmation of participation in an online competition, there is no effective consent within the meaning of Article 5(1)(b) of the Directive. 3 and 2(f) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data'.
 
Answer to 2:
"In applying Article 5(3) and (2)(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it makes no difference whether the information stored or retrieved is personal data'.
 

Answer to 3:
"The same applies to the interpretation of Article 5(3) and (2)(f) of Directive 2002/58 in conjunction with Article 4(11) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46 (Basic Regulation on data protection).
 
Answer to 4:
"The clear and comprehensive information which a user must receive from a service provider in accordance with Article 5(3) of Directive 2002/58 includes the duration of the cookies and the question of whether or not third parties can access the cookies.
 

 
What does this mean in practice? 
First of all, it should be stressed that this is not yet a judicial decision of the ECJ, but only a proposal for a later judgment. In practice, however, the Opinions are of great importance, since the ECJ often follows this recommendation in its subsequent decision. Whether this will also be the case in the present case is unclear.
Should the ECJ, however, follow this legal view, this would mean a fundamental change in the cookie consent currently practised in Germany and Europe. Because then the use of a cookie would only be permitted if the user has given his explicit consent beforehand. However, this would require active consent, i.e. a pre-filled checkbox or even the frequently used sentence: "if you continue surfing now, you acknowledge that ..." would no longer be sufficient.
Such consent to cookies, however, would presumably - like any consent - require the user to provide transparent and comprehensible information about the type and scope of data processing, including the use of third-party tools. However, since case law imposes hardly any conditions that can be fulfilled in practice in order for such consent to be effective, this would result in virtually the termination of almost all forms of marketing (e.g. retargeting) across websites. It is well known that this problem has already been assessed differently for some time within the framework of the ePrivacy Regulation, which has not yet been adopted. It remains to be seen whether the IAB Transparency & Consent Framework represents a way out. Stormy times are therefore approaching the online marketing industry.

Do you have questions or recommendations for us?

We are glad to receive your comments.