Advocate general Maciej Szpunar said reliance on pre-ticked boxes does not fulfil the requirements for obtaining consent to the use of 'cookies' under EU law, even if internet users are able to de-select the box and opt out or withdraw their consent at a later date.
In a non-binding opinion, Szpunar expressed the view that lottery organiser Planet49 had not obtained lottery participants' valid consent to cookies when it automatically selected an online cookie consent checkbox on their behalf.
"Requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent," Szpunar said. "In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable."
Cookies are small text files placed on an internet user's device. They are generated by a web page server, which is basically the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user's device interacts with the site.
Websites use cookies mainly because they save time and make the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users' web surfing habits and profile them for marketing purposes.
EU law requires website operators and other information society service providers to obtain internet users' consent to the use of cookies, other than those that are strictly necessary cookies, and to provide users with information about how to manage and delete cookies.
The advocate general said that the consent requirements applicable to cookies apply regardless of whether the information being stored and accessed constitutes personal data. He also considered that the requirements for giving consent to the processing of personal data under the General Data Protection Regulation (GDPR) are the same as they were under previous EU data protection laws that the GDPR has replaced. The previous laws are applicable to the Planet49 case as the activity in dispute occurred prior to the GDPR taking effect.
Under the GDPR, consent from a data subject to the processing of their personal data must, in general, be freely given, specific and informed. It must also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action.
In his opinion, Szpunar took issue with Planet49's decision to tie users' participation in its online lottery to their decision to consent to its use of cookies. He said those two things should have been kept separate.
"In the end, a user only effectuates one click on the participation button in order to participate in the lottery," Szpunar said. "At the same time he consents to the installation of cookies. Two expressions of intention (participation in the lottery and consent to the installation of cookies) are made at the same time. These two expressions cannot both be subject to the same participation button."
"Indeed … the consenting to the cookies appears ancillary in nature, in the sense that it is in no way clear that it forms part of a separate act. Put differently, (un)ticking the checkbox on the cookies appears like a preparatory act to the final and legally binding act which is ‘hitting’ the participation button. In such a situation, a user is not in a position to freely give his separate consent to the storing of information or the gaining of access to information already stored, in his terminal equipment," he said.
Planet49 gave internet users the option to opt out of cookie tracking so long as they ticked another box agreeing to receive marketing communications from its partners. The advocate general said this choice was not properly explained to consumers. He provided guidance on the information that website operators must provide to internet users about the use of cookies under EU law, and said that clear, comprehensive and sufficiently detailed information about "the duration of the operation of the cookies" and on whether third parties are given access to the cookies must be provided.
"The duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should ‘always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done’," advocate general Szpunar said. "Even if the cookie is essential, the question of how intrusive it is must be examined against the surrounding circumstances for consent purposes. In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, service providers must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose."
"The duration of the operation of cookies relates to the explicit informed consent requirements regarding the quality and accessibility of information to users. This information is vital to enable individuals to make informed decisions prior to the processing… Since data collected by cookies must be eliminated once it is no longer necessary to achieve the original purpose, it follows that the time period for storage of data collected must be clearly communicated to the user," he said.
The CJEU is expected to issue its judgment in the case in the next few months. The court often, but not always, follows the non-binding opinions issued by its advocate generals. The case against Planet49 was brought by a German consumer rights body. Germany's Federal Court of Justice has asked the CJEU to clarify how EU law should be interpreted to help it resolve the dispute before it.