Pre-ticked boxes and cookies consents: Planet49
Is unticking a box sufficient to meet the consent requirements for the installation of cookies? Separately, can you agree to sharing your data with third parties in order to gain entry to a prize draw?
In 2018 the Bundesverband der Verbraucherzentralen (a German federation of consumer organisations) initiated proceedings against an online lottery provider. They alleged breach of German consumer laws implementing the e-Privacy Directive and the General Data Protection Regulation (GDPR).
The defendant, Planet49 GmbH, ran its prize promotion on www.meinmacbook.de. In order to enter, participants were required to provide their postcode, name and address. Above the entry button there were two tick boxes.
The first box was not pre-ticked. It asked participants to consent to sponsors and co-operating partners contacting them via post, email and SMS. Entrants needed to tick this box in order to be able to be registered for the competition.
The second box was pre-ticked. It asked entrants to agree to the installation of cookies, which would monitor users’ surfing and use behaviour on the websites of advertising partners.
The case centred on whether the consent provided by the second tick box was sufficient for third party processing and the installation of cookies under the e-Privacy Directive and the GDPR. It reached the Bundesgerichtshof (Germany’s highest court) and certain elements were referred to the CJEU for guidance.
The second tick box (agreement to loading of cookies)
Advocate General Szpunar’s opinion considered the concept of consent under Directive 95/46/EC (95 Directive) and the GDPR. Consent has to be given actively. It needs to be demonstrated in a separate action, not merely as part of the activity the user is taking part in. The user also has to be fully informed about what they are consenting to. The concept of consent is the same under the e-Privacy regulation as under the GDPR.
The Advocate General found that there was no valid consent in relation to the second tick box. He reached this conclusion on the following basis:
- if the user clicked the participate button, they would be entered into the competition and agree to the cookies in the same click (given that the box was pre-ticked). This meant that it wasn’t a separate action
- if the user left the box ticked, it wasn’t clear that they had given their free and informed consent, as they hadn’t done so actively
- there was no information indicating that the second tick box was optional for entrance to the prize draw, so a user’s consent would not have been fully informed.
The Advocate General stated that it didn’t make a difference whether the information was personal data for the purposes of Article 5(3); it was clear that stored data on the user’s terminal equipment had a privacy aspect to it.
He explained that the “clear and comprehensive information” that must be made available (according to Article 5(3)) should allow a user to understand the implications and effect of giving their consent. The user must be told how the cookies function, their duration and which third parties (if any) have access.
The first tick box (agreement to be contacted by third parties)
The Advocate General also considered the validity of consent under the first tick box. He questioned whether a tick box was sufficiently “separate” to demonstrate consent and stated that a button would have been preferable.
He also discussed Article 7(4) of the GDPR in relation to the first tick box. Under this provision, companies should not make the user’s entry into the contract conditional on consent to processing if the processing is not necessary. Interestingly, the Advocate General considered that third party processing may be necessary for a free prize draw, as users essentially provide their data for the company to sell, in exchange for entry to the prize draw. The user’s acceptance of third-party processing is their main obligation. However, the Advocate General said it was ultimately a decision for the German courts to assess.
Why is this important?
Whilst Article 5(3) of the e-Privacy Directive doesn’t necessarily apply to all cookies (eg it may not apply to authentication and session-id cookies), this decision provides clear guidance on practices that internet service providers should avoid.
The analysis of consent under the 95 Directive, GDPR and e-Privacy Directive is helpful. It will be interesting to see whether consent for cookies is treated similarly under the forthcoming e-Privacy Regulation, or whether the concept develops further complexity.
Any practical tips?
Avoid using pre-ticked boxes! Care should also be taken to ensure that the explanations provided with tick boxes are clear and explain the function of any cookies, their duration and any third-party access in a way that can be understood by a user without any technical background.
As to trading data for sharing with third parties in exchange for entry into a prize draw, that positon remains unresolved. The Advocate General indicated that, in his view at least, companies could consider whether they have grounds to argue it is necessary for the relevant activity (ie participation in a prize draw). For now, the answer must be to think very carefully before going down this route. What is clear is that when it comes to valid consent, pre-ticked boxes generally spell trouble.