CLOSING ORDERS OF THE ADVOCATE GENERAL
MACIEJ SZPUNAR
of March 21, 2019 (1)
Case C-673/17
Planet49 GmbH
v
Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e. V.

(Reference for a preliminary ruling from the Federal Court of Justice [Deutschland])

„(Reference for a preliminary ruling – Directive 95/46/EC – Directive 2002/58/EC – Regulation (EU) 2016/679 – Processing of personal data and protection of privacy in the electronic communications sector – Cookies – Consent of the data subject – Declaration of consent by means of a pre-ticked box)

I. Introduction

1. in order to take part in a competition organized by Planet49, an internet user had to tick or untick two checkboxes before being able to press the button for participation. In doing so, they had to give their consent to be contacted by a number of companies with advertising offers and also give their consent for cookies to be placed on their computer. This is, in brief, the facts underlying the order for reference from the Federal Court of Justice (Germany).

2 Behind this seemingly harmless situation lie fundamental questions of EU data protection law: What are the exact requirements for voluntary, informed consent? Is there a difference between the (pure) processing of personal data and the setting and accessing of cookies? Which legal provisions are applicable?

(3) In this Opinion, I will argue that, in the context of the present case, Directive 95/46/EC(2) imposes the same requirements for consent as Regulation (EU) 2016/679(3) and that it does not matter in the present case whether the general issue of the processing of personal data is at stake or the more specific issue of the storage of and access to information by means of cookies.

II. Legal framework

A. Union law

1. directive 95/46

(4) Article 2 (‚Definitions‘) of Directive 95/46 provides:

„For the purposes of this Directive

…

(h) ‚consent of the data subject‘ means any freely given specific and informed indication of his or her wishes by which the data subject signifies his or her agreement to personal data relating to him or her being processed.“

(5) In Section II (‚Principles relating to the lawfulness of data processing‘) of Directive 95/46, Article 7(a) provides:

„Member States shall provide that the processing of personal data may only take place if one of the following conditions is met:

a) The data subject has given their consent without any doubt;

…“

6 Art. 10 („Information to be provided where personal data are collected from the data subject“) of Directive 95/46:

„Member States shall provide that the data subject from whom the personal data are collected receives at least the following information from the controller or his representative, if he does not already have it:

a) the identity of the controller and, where applicable, the controller’s representative,

b) the purposes of the processing for which the data are intended,

c) further information, for example concerning

– the recipients or categories of recipients of the data,

– the question of whether answering the questions is mandatory or voluntary, as well as the possible consequences of not answering them,

– the existence of rights of access to and rectification of data concerning them,

insofar as they are necessary, taking into account the specific circumstances in which the data are collected, to ensure fair processing in relation to the data subject.“

2. directive 2002/58/EC(4)

(7) Recitals 24 and 25 in the preamble to Directive 2002/58/EC(5) read:

„(24) The terminal equipment of users of electronic communications networks and information stored in such equipment is part of the privacy of users, which is subject to protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called ’spyware‘, ‚web bugs‘, ‚hidden identifiers‘ and similar tools can penetrate the user’s terminal equipment without the user’s knowledge in order to gain access to information or to trace the user’s activity and can constitute a serious violation of the privacy of these users. The use of such tools should only be permitted for lawful purposes with the knowledge of the users concerned.

(25) Solche Instrumente, z. B. so genannte ‚Cookies‘, können ein legitimes und nützliches Hilfsmittel sein, um die Wirksamkeit von Website-Gestaltung und Werbung zu untersuchen und die Identität der an Online-Transaktionen beteiligten Nutzer zu überprüfen. Dienen solche Instrumente, z. B. ‚Cookies‘, einem rechtmäßigen Zweck, z. B. der Erleichterung der Bereitstellung von Diensten der Informationsgesellschaft, so sollte deren Einsatz unter der Bedingung zugelassen werden, dass die Nutzer gemäß der Richtlinie [95/46] receive clear and precise information about the purpose of cookies or similar instruments, i.e. the user must know that certain information will be placed on the terminal device he or she is using. Users should have the opportunity to refuse the storage of a cookie or similar instrument in their terminal equipment. This is particularly important if other users also have access to the end device in question and therefore also to data stored there that contains sensitive information of a private nature. The information and the right of refusal may be offered once for the use of various tools to be installed in the user’s terminal during the same connection and may also cover the future use of such tools made during subsequent connections [kann]. Die Modalitäten für die Erteilung der Informationen oder für den Hinweis auf das Verweigerungsrecht und die Einholung der Zustimmung sollten so benutzerfreundlich wie möglich sein. Der Zugriff auf spezifische Website‑Inhalte kann nach wie vor davon abhängig gemacht werden, dass ein Cookie oder ein ähnliches Instrument von einer in Kenntnis der Sachlage gegebenen Einwilligung abhängig gemacht wird, wenn der Einsatz zu einem rechtmäßigen Zweck erfolgt.“

(8) Article 2 (‚Definitions‘) of Directive 2002/58 provides in point (f):

„Unless otherwise specified, the definitions in Directive [95/46] and Directive 2002/21/EC of the European Parliament and of the Council of March 7, 2002 on a common regulatory framework for electronic communications networks and services („Framework Directive“)[(6)] shall also apply to this Directive.

Furthermore, for the purposes of this Directive, the term

…

(f) ‚consent‘ of a user or subscriber means the consent of the data subject as defined by [der] Directive [95/46];

…“

9 Art. 5 („Confidentiality of communications“) of Directive 2002/58 provides in para. 3:

„Member States shall ensure that the storage of or access to information already stored in the terminal equipment of a subscriber or user is only allowed if the subscriber or user concerned has given his consent on the basis of clear and comprehensive information provided to him in accordance with Directive [95/46], inter alia, on the purposes of the processing. This shall not prevent technical storage or access where the sole purpose is to carry out the transmission of a communication over an electronic communications network or where it is strictly necessary for the provider of an information society service explicitly requested by the subscriber or user to provide that service.“

3. directive 2009/136/EC(7)

(10) Recital 66 in the preamble to Directive 2009/136/EC(8) reads:

„Third parties may wish to store information on a user’s terminal equipment or access information already stored for a number of reasons, ranging from legitimate reasons (such as some types of cookies) to unauthorized invasion of privacy (e.g. via spyware or viruses). It is therefore of the utmost importance that users are provided with clear and understandable information when they carry out any activity that could lead to such storage or access. The methods of information and the granting of the right to refuse it should be made as user-friendly as possible. Exceptions to the obligation to inform and the right to refuse should be limited to those situations where the technical storage or access is indispensable to enable the use of a service explicitly requested by the subscriber or user. Where technically feasible and effective, the user’s consent to processing may be expressed in accordance with the relevant provisions of Directive [95/46] on the handling of the relevant settings of a browser or other application. The implementation of these conditions should be made more effective by strengthening the powers of the competent national authorities.“

4th Regulation 2016/679

11 Recital 32 of Regulation 2016/679 reads:

„Consent should be given by an unequivocal affirmative act which signifies freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, for example by a written statement, which may also be given electronically, or by an oral statement. This could be done, for example, by ticking a box when visiting a website, by selecting technical settings for information society services or by any other statement or behavior with which the data subject clearly indicates their consent to the intended processing of their personal data in the respective context. Silence, already checked boxes or inactivity of the data subject should therefore not constitute consent. Consent should relate to all processing operations carried out for the same purpose or purposes. If the processing serves several purposes, consent should be given for all these processing purposes. Where the data subject is requested to give consent by electronic means, the request must be made in a clear and concise manner and without undue interruption of the service for which consent is given.“

12 Art. 4 („Definitions“) of Regulation 2016/679 provides in No. 11:

„For the purposes of this Regulation

…

(11) ‚consent‘ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

…“

13 Art. 6 („Lawfulness of processing“) of Regulation 2016/679 states:

„(1) Processing is only lawful if at least one of the following conditions is met:

a) The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;

…“

14 Art. 7 („Conditions for consent“) of Regulation 2016/679 states in para. 4: „In assessing whether consent has been freely given, utmost account shall be taken of the fact whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data which are not necessary for the performance of that contract.“

B. German law

1. civil code

15. § 307(9) of the German Civil Code (BGB) reads:

„(1) Provisions in general terms and conditions are invalid if they unreasonably disadvantage the contractual partner of the user contrary to the requirements of good faith. An unreasonable disadvantage may also result from the fact that the provision is not clear and comprehensible.

(2) In case of doubt, an unreasonable disadvantage is to be assumed if a provision

1. is incompatible with the fundamental ideas of the statutory provision from which it deviates, or

2. restricts essential rights or obligations arising from the nature of the contract in such a way that the achievement of the purpose of the contract is jeopardized.

(3) Paragraphs 1 and 2 as well as sections 308 and 309 shall only apply to provisions in General Terms and Conditions which deviate from or supplement legal provisions. Other provisions may be invalid in accordance with paragraph 1 sentence 2 in conjunction with paragraph 1 sentence 1.“

2. law against unfair competition

16 The Unfair Competition Act (UWG) prohibits commercial acts that unreasonably harass a market participant. According to § 7 Abs. 2 No. 2 UWG, unreasonable harassment is always to be assumed in the case of advertising with a telephone call to a consumer without their prior express consent or to another market participant without their at least presumed consent.

3. telemedia law

17 Section 12 para. 1 of the Telemedia Act (TMG) implements Article 7(a) of Directive 95/46 and specifies the conditions under which a service provider may collect and use personal data for the provision of telemedia. According to this provision, a service provider may only collect and use personal data for the provision of telemedia if the TMG or another legal provision that expressly refers to telemedia permits it or if the user has consented.

18. according to § 12 Abs. 3 TMG, the applicable regulations for the protection of personal data must be applied, even if the data is not processed automatically.

19. according to § 13 Abs. 1 TMG, the service provider must inform the user at the beginning of the usage process about the type, scope and purposes of the processing of personal data and about the processing of their data outside the scope of Directive 95/46.

20 Section 15 para. 1 TMG stipulates that service providers may only collect and use personal data insofar as this is necessary to enable and charge for the use of telemedia (usage data). Usage data are in particular characteristics for the identification of users.

21 Section 15 para. 3 TMG implements Art. 5 para. 3 of Directive 2002/58. It allows a service provider to create user profiles using pseudonyms for the purposes of advertising, market research or the needs-based design of telemedia, provided that the user does not object to this and the service provider has informed the user of their right to object in accordance with the duty to inform pursuant to Section 13 para. 1 TMG.

4 Federal Data Protection Act

22 Section 3 para. 1 of the Federal Data Protection Act (BDSG)(10) implements Article 2(a) of Directive 95/46; the term „personal data“ is defined there as information relating to the personal or material circumstances of an identified or identifiable natural person.

23 Section 4a BDSG transposes Article 2(h) of Directive 95/46 into national law; it stipulates that consent is only effective if it is based on the free decision of the data subject.

III. Facts, procedure and questions referred

24 September 2013, Planet49 GmbH organized a competition for advertising purposes at the Internet addresswww.dein-macbook.de(11). To take part in the competition, an internet user had to enter their zip code. A page with input fields for the user’s name and address was then displayed. Below the input fields for the address, there were two texts with checkboxes. I will refer to them below as the „first checkbox“ and the „second checkbox“. The first information text, whose checkbox was not provided with a preset checkmark, read:

„I agree that some sponsors and cooperation partners may inform me by post, telephone or e-mail/SMS about offers from their respective business areas. I can determine these myself here, otherwise the selection will be made by the organizer. I can revoke my consent at any time. Further information here.“

25 The second instruction text, which was provided with a preset checkmark, read:

„I agree that the Remintrex web analysis service may be used on my computer. This means that the competition organizer, Planet49 GmbH, sets cookies after registration for the competition, which enables Planet49 to evaluate my surfing and usage behavior on websites of advertising partners and thus interest-based advertising by Remintrex. I can delete the cookies at any time. Read more here.“

26. participation in the competition was only possible if at least the first checkbox was ticked.

27 The electronic link, which was underlaid with the words „Sponsors and cooperation partners“ and „here“ in the first information text, led to a list containing 57 companies, their addresses, the business area to be advertised and the type of communication used for advertising (e-mail, post or telephone) as well as the underlined word „Unsubscribe“ after each company. The list was preceded by the following note:

„By clicking on the ‚Unsubscribe‘ link, I decide that no advertising consent may be given to the named partner/sponsor. If I have not unsubscribed any or a sufficient number of partners/sponsors, Planet49 will select partners/sponsors for me at its own discretion (maximum number: 30 partners/sponsors).“

28. the following information was displayed when clicking on the electronic link under the word „here“ in the second information text:

„The cookies set with the names ceng_cache, ceng_etag, ceng_png and gcr are small files that are stored on your hard disk by the browser you are using and through which certain information flows that enable more user-friendly and effective advertising. The cookies contain a specific randomly generated number (ID), which is also assigned to your registration data. If you then visit the website of an advertising partner registered for Remintrex (please refer to the advertising partner’s privacy policy to find out whether you have registered), Remintrex will automatically record that you (i.e. the user with the stored ID) have visited the page, which product you are interested in and whether a contract has been concluded on the basis of an iFrame integrated there.

Subsequently, Planet49 GmbH may send you advertising emails based on the advertising consent given when registering for the competition, which take into account your interests shown on the website of the advertising partner. If you revoke your advertising consent, you will of course no longer receive any e-mail advertising.

The information transmitted by the cookies is used exclusively for advertising in which the products of the advertising partner are presented. The information is collected, stored and used separately for each advertising partner. Under no circumstances are cross-advertising partner user profiles created. The individual advertising partners do not receive any personal data.

If you have no further interest in the use of cookies, you can delete them at any time via your browser. You can find instructions in the help function of your browser.

Cookies cannot be used to run programs or transmit viruses.

Of course, you have the option to revoke this consent at any time. You can send your revocation in writing to PLANET49 GmbH [Adresse]. However, it is also sufficient to send an e-mail to our customer service [E‑Mail-Adresse].“

(29) The plaintiff in the main proceedings, the Federal Association of Consumer Organizations (hereinafter: Federal Association), is registered in the list of qualified entities under the Act on Injunctions for Consumer Rights and Other Infringements (UKlaG). In its opinion, the declarations of consent used by Planet49 and reproduced above did not satisfy the requirements of Section 307 BGB, Section 7 para. 2 No. 2 UWG and §§ 12 ff. TMG. A pre-trial warning was unsuccessful.

30 The Federal Association brought an action before the Regional Court of Frankfurt am Main (Germany) seeking an order that Planet49 cease using the above clauses(12) and pay the Federal Association EUR 214 plus interest from March 15, 2014.

31 The Frankfurt am Main Regional Court granted some of the claims and dismissed the remainder of the action. Following an appeal(13) lodged with the Higher Regional Court of Frankfurt am Main (Germany), the action has been referred to the Federal Court of Justice as a court of appeal(14).

32 The Federal Court of Justice is of the opinion that the success of the appeal depends on the interpretation of Art. 5 para. 3 and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 and Article 6(1)(a) of Regulation 2016/679. 1(a) of Regulation 2016/679. It referred the following questions to the Court for a preliminary ruling:

1. a) Is consent valid within the meaning of Art. 5 para. 3 and Article 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 if the storage of information or access to information already stored in the user’s terminal equipment is permitted by a preset checkbox which the user must deselect in order to refuse consent?

b) Does it make a difference in the application of Art. 5 para. 3 and Article 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, does it make any difference whether the information stored or retrieved is personal data?

c) In the circumstances referred to in Question 1(a), is there valid consent within the meaning of Article 6(1)(a) of Regulation 2016/679? 1(a) of Regulation 2016/679?

2. what information must the service provider provide to the user in the context of the clear and comprehensive information required under Art. 5 para. 3 of Directive 2002/58 to provide the user with clear and comprehensive information? Does this also include the duration of the function of the cookies and the question of whether third parties have access to the cookies?

33 The order for reference was received by the Court on November 30, 2017. Planet49, the Bundesverband, the Portuguese and Italian governments and the European Commission submitted written observations. An oral hearing was held on November 13, 2018, in which Planet49, the Federal Association, the German government and the Commission took part.

IV. Appreciation

(34) The two questions referred for a preliminary ruling by the Bundesgerichtshof relate to consent to the storage of information and access to information already stored in the user’s terminal equipment, i.e. cookies, in the specific context of the provisions of Directive 2002/58 in conjunction with the provisions of Directive 95/46 or Regulation 2016/679.

35 It seems to me helpful to clarify by way of preliminary remarks in factual terms what is meant by cookies and related terminology, and in legal terms what legislation is applicable to the present case.

A. Preliminary remarks

1. cookies

36. cookies can be used to collect information generated by a website and stored by an internet user’s browser(15). It is a small file or piece of text information (usually less than one Kbyte) that is placed by a website on the hard disk of an internet user’s computer or mobile device via their browser(16).

37 A cookie allows the website to permanently „remember“ the user’s actions or preferences. Most web browsers support cookies, but users can set their browsers to reject cookies. You can also delete cookies at any time. Many users configure the cookie settings in their browsers so that cookies are automatically deleted by default when the browser window is closed. However, there is a wealth of empirical evidence that the default settings are rarely changed, a phenomenon that has been termed „default inertia“(17).

38. websites use cookies to identify users, remember their customers‘ preferences and allow users to complete tasks without having to re-enter information when they move to another page or revisit the website later.

39 Cookies can also be used to collect information for targeted advertising and marketing based on online behavior(18). For example, companies use software to track user behavior and create personal profiles that allow them to show users advertising tailored to their previous searches(19).

40 There are different types of cookies. They can be categorized according to their lifespan (e.g. session cookies and persistent cookies) or according to the domain to which they belong (e.g. first-party and third-party cookies)(20). If the web server that feeds the website stores cookies on the user’s computer or mobile device, these are referred to as „HTTP header cookies“(21). Cookies can also be stored using JavaScript code that is located or referenced on the page(22). However, the validity of the consent to set cookies and the applicability of relevant exceptions should be assessed on the basis of the purpose of the cookies and not on their technical characteristics(23).

2. on the applicable legal provisions

41 The legal framework applicable to the main proceedings has evolved over the years, most recently with the entry into force of Regulation 2016/679.

(42) Two sets of EU rules are applicable in the present case. First, Directive 95/46 and Regulation 2016/679. Second, Directive 2002/58, as amended by Directive 2009/136, (24).

43 I would like to make two comments in relation to these two groups of legislation.

44 The first observation concerns the applicability of Directive 95/46 and Regulation 2016/679.

45 Regulation 2016/679, which has been in force since May 25, 2018(25), repealed Directive 95/46 with effect from the same date(26).

46 May 25, 2018 is after the last hearing before the referring court, which took place on July 14, 2017, and also after October 5, 2017, the date on which the present case was referred to the Court for a preliminary ruling.

47 Directive 2002/58 in conjunction with Directive 95/46 therefore applies to situations before May 25, 2018, whereas Directive 2002/58 in conjunction with Regulation 2016/679 applies to situations after May 25, 2018.

(48) Insofar as the Federal Association seeks an order that Planet49 refrain from its past conduct in the future,(27) Regulation 2016/679 is applicable in the present case. In its decision on the application for an injunction directed to the future, the Federal Court of Justice will therefore have to take into account the requirements of Regulation 2016/679. In this context, the German Government refers to settled domestic case-law on the relevant legal position in actions for an injunction(28).

49 Consequently, the question referred must be answered on the basis of both Directive 95/46 and Regulation 2016/679(29).

50 It should also be noted that references to Directive 95/46 in Directive 2002/58 are deemed to be references to Regulation 2016/679(30).

51 The second comment concerns the development of Art. 5 para. 3 of Directive 2002/58.

52 Directive 2002/58 seeks to ensure that the rights set out in the Charter of Fundamental Rights of the European Union, and in particular Articles 7 and 8 thereof, are fully respected. Article 5 of this Directive is intended to ensure the ‚confidentiality of communications‘. In particular, Art. 5 para. 3 regulates the use of cookies and specifies which requirements must be met before data may be stored or accessed on a user’s computer by setting a cookie.

53 Directive 2009/136 significantly amended the consent requirements set out in Art. 5 para. 3 of Directive 2002/58 were significantly amended in order to improve the protection of users. Prior to the amendments made by Directive 2009/136, Art. 5 para. 3 only required that users be informed of the right to refuse data processing using cookies („informed opt-out“). In other words, according to the original version of Art. 5 para. 3, if information is stored on the user’s device or access to information stored there, the service provider must inform the user clearly and comprehensively, in particular about the purpose of the processing and inform the user of the right to refuse this processing.

54 Directive 2009/136 replaced this requirement to indicate the right to refuse with the requirement that ‚the subscriber or user concerned … has given his consent‘. The system of „informed opt-out“, which was easier to comply with, was thus replaced by a system of „informed opt-in“. Apart from a very limited exception, which is not applicable in the present case,(32) the use of cookies is, according to the amended version of Art. 5 para. 3 of Directive 2002/58, the use of cookies is only permitted if the user has consented after having received clear and comprehensive information, in accordance with Directive 95/46, on why his data are being tracked, i.e. on the purposes of the processing(33).

55 As will be explained in more detail below, the scope of the requirement to provide information in Art. 5 para. 3 of Directive 2002/58 is at the heart of the dispute, in particular in the context of default settings for online activities.

B. First question

56 By Question 1(a), the referring court asks, in essence, whether there is valid consent within the meaning of Article 5(3) and (2)(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46. 3 and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, where the storage of information or access to information already stored in the user’s terminal equipment is permitted by means of a pre-ticked box which the user must deselect in order to refuse consent. In this context, the referring court also wishes to know whether it makes a difference whether the information stored or retrieved is personal data (point (b) of the first question). Finally, it wishes to know whether, in the circumstances described above, effective consent within the meaning of Article 6(1)(a) of Regulation 2016/679 is given. 1(a) of Regulation 2016/679 (point (c) of the first question).

1. for consent given voluntarily and in full knowledge of the facts

57 One of the underlying features of Union data protection law is consent.

58 Before turning specifically to cookies, I would like to set out general principles for giving consent that can be found in the relevant legislation.

a) Within the framework of Directive 95/46

1) Active consent

59 I conclude from the provisions of Directive 95/46 that consent must be actively(34) expressed.

(60) Article 2(h) of Directive 95/46 refers to an expression of the data subject’s will, which clearly indicates active and not passive behavior. In addition, Article 7(a) of Directive 95/46, which deals with the principles relating to the lawfulness of the processing of (personal) data, states that the data subject must have given his or her consent without any doubt. However, doubts can only be removed by active and not passive behavior.

61 I conclude from this that it is not sufficient in this respect if the user’s declaration of consent is pre-formulated and the user must actively object if he does not agree to the processing of the data.

62 In the latter case, one does not know whether such a pre-formulated text has been read and understood. The situation is not free of doubt. A user may or may not have read the text. He may have omitted to do so out of sheer negligence. In such a situation, it is not possible to determine whether consent was given voluntarily.

2) Separate consent

63. closely linked to the requirement of active consent is the requirement of separate consent(35).

64 It could be argued, as Planet49 does, that the data subject does not give valid consent by not unchecking the box in front of a pre-formulated declaration of consent, but by actively clicking on the button to participate in the online competition.

65 I do not agree with this interpretation.

66 Consent is only given voluntarily and in an informed manner if it is not only given actively but also separately. The activities of a user on the internet (reading a website, taking part in a competition, watching a video, etc.) and the granting of consent cannot be part of the same action. In particular, from the user’s perspective, the granting of consent cannot appear as a side effect of participation in the competition. Both actions must be presented in the same way, particularly visually. As a result, I consider it doubtful that a bundle of declarations of intent, which would include the granting of consent, would be consistent with the concept of consent within the meaning of Directive 95/46.

3) Duty to provide comprehensive information

67 In this context, it must be made unambiguously clear to users whether what they do on the internet is dependent on their consent. A user must be able to assess the extent to which he is willing to disclose his data in order to carry out his activity on the internet. There must be no room for the slightest ambiguity(36). A user must know whether and, if so, to what extent the granting of his consent affects the development of his activity on the internet.

b) Within the framework of Regulation 2016/679

68 The principles set out above also apply to Regulation 2016/679.

69 Article 4(11) of Regulation 2016/679 defines consent of the data subject as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

70 This definition is narrower than the definition in Article 2(h) of Directive 95/46 in that it requires an unequivocal expression of the data subject’s will and a clear affirmative act expressing consent to the processing of personal data.

71 Furthermore, the recitals in the preamble to Regulation 2016/679 are particularly illuminating. Since I will refer to the recitals in detail, (37) I feel compelled to point out that they do not, of course, have any legal significance in their own right, (38) but that the Court often refers to them when interpreting provisions of a Union act. In the Union legal order, they are descriptive, not normative, in nature. Indeed, the question of the legal significance of recitals does not normally arise for the simple reason that they are usually reflected in the legal provisions of a directive. Good legislative technique by the political institutions of the Union aims at a situation in which the recitals provide a useful background for the provisions of a legislative act(39).

72 According to recital 32 of Regulation 2016/679, consent should be given by an unequivocal affirmative act by which the data subject indicates voluntarily, in an informed and unambiguous manner, for the specific case, that he or she consents to the processing of personal data relating to him or her, such as by a written statement, which may also be given electronically, or by an oral statement. This could be done, for example, by ticking a box when visiting a website, by selecting technical settings for information society services or by another statement or behavior with which the data subject clearly indicates their consent to the intended processing of their personal data in the respective context. Silence, already ticked boxes or inactivity on the part of the data subject should therefore not constitute consent.

73 Regulation 2016/679 therefore now expressly provides for active consent.

74 Moreover, recital 43 of the Regulation states that, in order to ensure that consent is freely given, it should not provide a valid legal basis in specific cases where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely, having regard to all the circumstances of the particular case, that consent was freely given. Consent is not deemed to be freely given if consent cannot be given separately for different processing operations of personal data, although this is appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on consent, although it is not necessary for performance.

75 The requirement of separate consent is therefore now explicitly emphasized in this recital.

c) In the context of Directive 2002/58 – the case of cookies

76 According to Art. 5 para. 3 of Directive 2002/58, Member States must ensure that the storage of information or access to information already stored in the terminal equipment of a subscriber or user is permitted only if the subscriber or user concerned has given his consent on the basis of clear and comprehensive information provided to him in accordance with Directive 95/46, inter alia, on the purposes of the processing.

77 This provision does not establish any further criteria with regard to the concept of consent.

78 However, the recitals of Directive 2002/58 and Directive 2009/136 provide guidance on consent in relation to cookies.

79 Recital 17 in the preamble to Directive 2002/58 states that consent may be given by any appropriate means which expresses the user’s wish in a specific indication which is informed and freely given, including by checking a box on an internet website(40).

80 In addition, recital 66 of Directive 2009/136 explains that it is of utmost importance that clear and understandable information is provided to users when they perform any activity that could lead to the storage of information in a user’s terminal equipment or access to information already stored, and that the methods of providing information and the granting of the right to refuse it should be as user-friendly as possible.

81 In this context, I would also like to refer to the non-binding but nonetheless informative work of the Article 29 Working Party(41). According to this work, consent implies a prior affirmative act by the user to consent to the storage and use of the cookie(42). The Working Party has also stated that the term ‚expression of will‘ requires an action(43). Other elements of the definition of consent and the additional requirement in Article 7(a) of Directive 95/46 that consent must be unambiguous support this interpretation(44). The requirement that the data subject must ‚express‘ consent indicates that mere inaction is not sufficient and that some kind of action is necessary for consent. However, different actions are possible, which must be assessed „in their respective contexts“(45).

2. application to the present case

82 I would now like to turn to the application of these criteria to the present case. In doing so, I will first deal with points (a) and (c) of the first question, i.e. whether there was effective consent to the setting of and access to the cookies. This concerns the second checkbox.

83 Given that, as has just been pointed out, there is little difference between the requirements for consent in the case of cookies and, more generally, in the case of the processing of personal data, I also consider it necessary, for the sake of both completeness and clarity, in order to ensure a correct and uniform interpretation of EU law, to examine briefly whether, in relation to the processing of personal data in the context of the first checkbox, effective consent has been given, even though the referring court does not expressly ask for it. As I understand it, the Federal Court of Justice will also have to rule on the first checkbox in the context of the proceedings pending before it(46).

a) Second checkbox – letters a and c of the first question

84 The referring court asks whether consent is valid within the meaning of Article 5(3) and (2)(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46. 3 and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, where the storage of information or access to information already stored in the user’s terminal equipment is permitted by means of a pre-ticked box which the user must deselect in order to refuse consent.

85 The decisive terms for answering this question are ‚freely given‘ and ‚informed‘ in Article 2(h) of Directive 95/46 and ‚voluntary‘ and ‚informed‘ in Article 4(11) of Regulation 2016/679. It is questionable whether consent can be given in this way in a situation such as that described by the referring court.

86 Planet49 agrees with this. All other parties(47) disagree. In this context, the parties‘ legal arguments focus primarily on whether placing or removing a tick in a checkbox that has already been filled in satisfies these requirements. The subject of the discussion is the question of activity and passivity. However, this aspect, as important as it is, is only part of the requirements. It only concerns the requirement of active consent, but not that of separate consent.

87 In my opinion, based on the criteria set out above, the answer is that there is no valid consent in the present case.

88 Firstly, the criterion of active consent is not met if a user has to remove an existing checkmark and thus become active, unless he or she consents to the setting of cookies. In such a situation, it is practically impossible to objectively determine whether a user has given consent on the basis of a voluntary and informed decision. However, if a user has to check a box, this can be assumed with much greater probability.

89 Secondly and most importantly, participation in the online competition and the granting of consent to the setting of cookies cannot be part of the same action. However, this is precisely the case here. Ultimately, a user only clicks on the button provided for participation in the online competition. At the same time, they consent to the placement of cookies. Two declarations of intent (participation in the competition and consent to the setting of cookies) are made simultaneously. They cannot both be assigned to the same button for participation. In the present case, consent to cookies appears to be subordinate in that it is by no means clear that it is part of a separate action. In other words, checking or unchecking the box relating to cookies appears to be a preparatory action for the final and legally binding action of clicking the opt-in button.

90. in such a situation, a user is not in a position to freely give his separate consent to the storage of information or access to information already stored in his terminal device.

91 Moreover, as explained above, participation in the competition was only possible if at least the first checkbox was ticked. As a result, participation in the competition was not dependent(48) on consent being given to the setting of and access to cookies. This is because a user could also have (only) clicked on the first checkbox.

92 To my knowledge, however, the user was never informed of this. This is not in line with the above-mentioned criterion of providing users with comprehensive information.

93 In conclusion, I propose that the answer to points (a) and (c) of the first question should be that, in a situation such as that at issue in the main proceedings, in which the storage of information or access to information already stored in the user’s terminal equipment is permitted by means of a pre-ticked box which the user must deselect in order to refuse consent, and in which consent is not given separately but at the same time as confirmation of participation in an online competition, there is no valid consent within the meaning of Article 5(3) and (2)(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46. 3 and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46. The same applies to the interpretation of Art. 5 para. 3 and 2(f) of Directive 2002/58 in conjunction with Article 4(11) of Regulation 2016/679.

b) First checkbox

94 Although the referring court’s questions relate only to the second checkbox, I would like to make two specific comments on the first checkbox which may be helpful to the referring court in reaching its final decision.

95 As already explained, the first checkbox does not concern cookies, but only the processing of personal data. In this respect, a user does not consent to the storage of information on their device, but (merely) to being contacted by a number of companies by post, telephone or email.

96 Firstly, the criteria for active and separate consent and comprehensive information naturally also apply to the first checkbox. Active consent should be unproblematic, as the checkbox is not pre-filled. However, I have doubts about the separate consent. On the basis of the above analysis(49), given the facts of the present case, it would be better if, figuratively speaking, a separate button were to be clicked to consent to the processing of personal data(50) and not just a box ticked.

97 Secondly, with regard to the first checkbox relating to contact by sponsors and cooperation partners, Art. 7 para. 4 of Regulation 2016/679 should be taken into account. According to this provision, when assessing whether consent has been given voluntarily, the greatest possible account must be taken of whether, among other things, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data that is not necessary for the performance of the contract. Art. 7 para. 4 of Regulation 2016/679 therefore now establishes a „prohibition of tying“(51).

98 As is clear from the words „must be taken into account to the greatest extent possible“, the prohibition of tying is not an absolute prohibition(52).

99 In this respect, the competent court will have to assess whether consent to the processing of personal data is necessary for participation in the competition. It should be borne in mind that the purpose behind participation in the competition is the „sale“ of personal data (i.e. consent to be contacted by so-called „sponsors“ with promotional offers). In other words, the main obligation that the user must fulfill in order to participate in the contest is to provide personal data. In such a situation, it seems to me that the processing of this personal data is necessary for participation in the contest(53).

3. personal data (letter b of the first question)

100. I would now like to examine whether it makes a difference in the application of Art. 5 para. 3 and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, whether the information stored or retrieved is personal data.

101. This question is best understood against the background of German law, which transposed Art. 5 para. 3 of Directive 2002/58(54) was implemented. German law distinguishes between the collection and use of personal data and other data.

102. According to § 12 Abs. 1 TMG, the permissibility of the collection and use of personal data by a service provider depends, among other things, on whether the user has consented.

103. According to § 15 Abs. 3 TMG, however, a service provider may create user profiles using pseudonyms for advertising and market research purposes, among other things, unless the user objects to this. If no personal data is involved, the requirements under German law are therefore less strict: no consent, only a lack of objection.

104. According to the legal definition in Art. 4 No. 1 of Regulation 2016/679, personal data is „any information relating to an identified or identifiable natural person (… ‚data subject‘); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“.

105. In my view, there is no doubt that, in the present case, the ‚information‘ referred to in Article 5(3) of Directive 2002/58 is ‚personal data‘. 3 of Directive 2002/58 is ‚personal data‘. The referring court also appears to take this view, as it expressly states in its order for reference that the retrieval of data from the cookies used by the defendant is subject to the consent requirement of § 12 para. 1 TMG because this is personal data(55). Moreover, it appears to be undisputed between the parties to the main proceedings that we are dealing here with personal data.

106. One might therefore wonder whether this question is relevant in the present case and whether it is not a hypothetical question(56).

107. Regardless of this, the answer to this question seems to me to be quite clear: it makes no difference whether the information stored or retrieved is personal data. Art. 5 para. 3 of Directive 2002/58 refers to „the storage of information or [den] access to information which is already … stored“(57). It is clear that all such information has a data protection aspect, regardless of whether it is ‚personal data‘ within the meaning of Article 4(1) of Regulation 2016/679. As the Commission rightly points out, Art. 5 para. 3 of Directive 2002/58 aims to protect the user from intrusions into his privacy, regardless of whether personal data or other data are involved.

108. Such an understanding of Art. 5 para. 3 of Directive 2002/58 is furthermore confirmed by recitals 24(58) and 25(59) of this Directive and by opinions of the Article 29 Working Party. It states: „Article 5(3) applies to ‚information‘ (information stored and/or information accessed). It makes no distinction here. For this provision to apply, it is not necessary for the information to be personal data within the meaning of Directive [95/46].‘(60)

109. As a result, the requirements of Art. 5 para. 3 of Directive 2002/58 were apparently not fully transposed into German law by § 15 para. 3 TMG were apparently not fully transposed into German law(61).

110 I therefore propose that the answer to point (b) of the first question should be that, for the purposes of applying Article 5(3) and (2)(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it makes no difference whether the information stored or accessed is personal data. 3 and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it makes no difference whether the information stored or retrieved is personal data.

C. Second question

111. By its second question, the referring court asks, in essence, what information the service provider must provide in the context of the requirement in Article 5(3) of Directive 2002/58 that the user must be provided with clear and comprehensive information. 3 of Directive 2002/58 that the user must receive clear and comprehensive information, and whether that includes the duration of the cookies and whether third parties have access to the cookies.

1. to the clear and comprehensive information

112. Articles 10 and 11 of Directive 95/46 (and Articles 13 and 14 of Regulation 2016/679) contain an obligation to provide information to data subjects. The obligation to provide information is linked to consent in that there must always be information before consent can be given.

113 Given the conceptual proximity between an internet user (and provider) and a consumer (and trader)(62), the concept of the average European consumer(63) who is reasonably well informed, reasonably observant and circumspect and capable of making an informed decision on whether to enter into an obligation(64) can be used here.

114 However, due to the technical complexity of cookies, the asymmetric distribution of information between provider and user and, more generally, the relative lack of knowledge of any average internet user, such a user cannot be expected to have a high level of knowledge of how cookies work.

115. Clear and comprehensive information therefore means that a user is able to easily determine the consequences of any consent they give. They must be able to assess the consequences of their actions. The information provided must be clearly understandable and must not be ambiguous or open to interpretation. It must be detailed enough to enable the user to understand how the cookies actually used work.

116. As the referring court rightly points out, this includes both the duration of the function of the cookies and the question of whether third parties have access to the cookies.

2. information about the functional duration of the cookies

117 As follows from recitals 23 and 26 of Directive 2002/58, the functional duration of cookies is an element of the requirement of informed consent, which means that service providers must „always keep subscribers informed [sollen] of the type of data they are processing and for what purposes and for how long“. Even if the cookie is essential, the question of how intrusive it is for the purposes of consent must be assessed on the basis of the surrounding circumstances. In addition to the question of what data each cookie contains and whether it is linked to other information about the user, service providers must consider the lifespan of the cookie and whether this is reasonable in light of its purpose.

118. The functional duration of cookies is linked to the explicit requirements of informed consent regarding the quality and accessibility of information for users. This information is of paramount importance to allow data subjects to make informed choices prior to processing(65). As the Portuguese and Italian governments have argued, since the data collected by cookies must be deleted as soon as they are no longer needed to fulfill the original purpose, the period for which the collected data will be stored must be clearly communicated to the user.

3. information on whether third parties are granted access

119. In this respect, Planet49 argues that if third parties gain access to a cookie, users must also be informed of this. However, if, as in the present case, only one provider who wants to set the cookie has access to it, it is sufficient if this fact is pointed out. The fact that other providers do not have access does not have to be pointed out separately. Such an obligation would not be compatible with the legislator’s intention that the data protection texts should remain user-friendly and therefore as short as possible.

120. I cannot agree with this interpretation. Rather, in order for the information to be clear and comprehensive, a user should be explicitly informed as to whether or not third parties have access to the cookies set. If third parties have access, their identity must be disclosed. As the Federal Association rightly points out, this is essential so that consent can be given in full knowledge of the facts.

4. conclusion

121. I therefore propose that the answer to the second question should be that the clear and comprehensive information that a user must receive from a service provider under Article 5(3) of Directive 2002/58 includes the duration of the cookies and whether or not third parties have access to them. 3 of Directive 2002/58 includes the duration of the cookies and whether or not third parties have access to the cookies.

V. Result

122. In the light of the foregoing considerations, I propose that the Court should answer the questions referred by the Bundesgerichtshof (Germany) as follows:

(1) In a situation such as that at issue in the main proceedings, in which the storage of information or access to information already stored in the user’s terminal equipment is permitted by means of a preset checkbox which the user must deselect in order to refuse consent, and in which consent is not given separately but at the same time as confirmation of participation in an online competition, there is no valid consent within the meaning of Article 5(3) and (2)(f) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (Directive on privacy and electronic communications), read in conjunction with Article 5(1) of that directive. 3 and 2(f) of Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2. the same applies to the interpretation of Art. 5 para. 3 and 2(f) of Directive 2002/58 in conjunction with Article 4(11) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation).

3. in the application of Art. 5 para. 3 and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it makes no difference whether the information stored or retrieved is personal data.

4. the clear and comprehensive information that a user must receive from a service provider pursuant to Art. 5 para. 3 of Directive 2002/58 includes the duration of the cookies and the question of whether or not third parties have access to the cookies.

---

Footnotes can be found at: https://curia.europa.eu/juris/document/document_print.jsf;jsessionid=6358CBB23D70451B8C16923E1EA32C3F?docid=212023&text=&dir=&doclang=EN&part=1&occ=first&mode=DOC&pageIndex=0&cid=7016148#Footnote1

---