Although the AG’s opinion is non-binding, it serves as a reminder to companies subject to laws implementing the EU ePrivacy Directive that they must obtain consent to use non-essential cookies and that such consent must meet the consent specifications set out in the EU General Data Protection Regulation (“GDPR”) that consent be freely given, specific, informed, and unambiguous.
This case involved an online lottery run by Planet49. To participate in the lottery, Planet49 offered would-be lottery participants two checkboxes. The first checkbox (which was not pre-checked) requested user consent to being contacted by lottery sponsors and other partners with promotional offers. The other checkbox (which was pre-checked) requested user consent to cookies being installed on his/her computer by a web analytics and advertising service provider engaged by Planet49.
Pre-checked boxes are not consent
In the Advocate General’s view, the second pre-checked box effectively created one consent for two purposes, so the consent was not valid because it did not require that users actively and separately consent to the installation of cookies. This meant that consent could not be considered to be freely given.
Valid cookie consent must be based on clear information
Also, because users were not told that they could participate in the lottery without consenting to the cookies, the AG found that the second checkbox consent was not sufficiently informed. The AG also found that the consent process was deficient because users were not given information about the “duration of operation” of the relevant cookies or about whether third parties could access the cookies.
Bundling consent may sometimes be OK
The AG’s comments about the first checkbox are more out of the ordinary. In a passage that proponents of cookie walls might appreciate, the AG found no problem with Planet49’s practice of requiring users to consent to sale of their data as a condition of entering the lottery. GDPR Article 7 says:
“When assessing whether consent is freely given, utmost account shall be taken of whether…the performance of a contract … is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Earlier consent guidance from the Article 29 Working Party addressed this GDPR provision by saying that there needs to be a direct and objective link between the processing of personal data and the purpose of the contract. The AG said he thought this condition has been satisfied because “the underlying purpose in the participation in the lottery is the ‘selling’ of personal data (i.e. agreeing to be contacted by so-called ‘sponsors’ for promotional offers)” and, thus, “it appears…that the processing of this personal data is necessary for the participation in the lottery.”
However, the AG also noted that he had “some doubts about separate consent” and commented that “it would be better if… there were a separate button to be clicked.”
Consent to certain cookies is required regardless of whether they contain personal data
The post New EU Cookie Consent Recommendation from Advocate General appeared first on Law Across the Wire and Into the Cloud.
*** This is a Security Bloggers Network syndicated blog from Law Across the Wire and Into the Cloud authored by Michelle Anderson. Read the original post at: https://blog.zwillgen.com/2019/04/05/new-eu-cookie-consent-recommendation-from-advocate-general/