The ECJ’s Decision in “Planet49” (Case C-673/17): A Cookie Monster or Much Ado About Nothing?

In “ Planet49 ”, the ECJ ruled that a pre-selected checkbox on a website (which the user must actively deselect to refuse consent) does not constitute valid consent under data protection law. In this context, the Court also provided guidance on the extent of the existing informational duties. It furthermore found that it does not make a difference with respect to Art. 5(3) ePrivacy Directive whether or not information that is stored or accessed on the terminal device of a user constitutes personal data. The majority of these findings is not surprising and in accordance with the values underlying today’s data protection and privacy regulations. Unfortunately, the ECJ failed to address the role Art. 7(2) GDPR plays for online declarations referring to both consent and other matters. It thus missed a valuable opportunity to provide further clarity on how consent can be given in a way that is compliant with data protection regulations and user-friendly at the same time. Unfortunately, the Court was not asked to show a way out of the dogmatic Gordian knot arising from the German Telemedia Act, parts of which are still in clear contradiction to Art. 5(3) ePrivacy Directive.

Functioning of the European Union) by the German Federal Supreme Court. 1 The questions stemming from the underlying proceedings between the Federal Union of Consumer Organisations and Associations (Federation of Consumer Organisations) and Planet49 GmbH, an online gaming company, refer to the granting of consent to data processing in online environments and corresponding side issues. Fortunately, due to procedural issues the ruling refers not only to the (repealed) Data Protection Directive 2 (DPD), but also to the General Data Protection Regulation 3 (GDPR). 4 The focus of the decision is on the interplay of either regime with the so-called ePrivacy Directive. 5 In the following, the analysis will mainly examine the interplay of the ePrivacy Directive and the GDPR.

Matter in Dispute
The matter in dispute was an online promotional lottery organised by Planet49 GmbH. 6 To participate, users had to provide their name and address. They were confronted with a webpage containing three items relevant for the legal analysis: two bodies of explanatory text (each accompanied by a checkbox) and a button which roughly read ''Click here to participate free of charge''. The first checkbox was not pre-selected. The attached text basically allowed third parties to contact users by post, telephone, e-mail, etc. for advertising purposes. The second checkbox contained a pre-selected tick. Its accompanying text read: ''I agree to the web analytics service Remintrex being used for me. This has the consequence that [Planet49] sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by The GDPR became applicable during the national proceedings. Thus, it will most likely be applied in the main proceedings. This is why the ECJ passed judgment on either regime. 5  Remintrex that is based on my interests. (…)'' Thus, the pre-selected second checkbox allowed extensive cookie-based tracking of users for advertising purposes. Before clicking the button, users had to actively tick the first checkbox, while it was not mandatory to leave the second checkbox ticked. Users were free to untick the box and, in doing so, deny consent to the placing of cookies (and subsequent tracking). 7

Questions Referred to the Court
Three questions were submitted to the ECJ, all of which only refer to the second, pre-selected checkbox. 8 Firstly, is valid consent given within the meaning of Arts. 5(3) and 2(f) ePrivacy Directive, read in conjunction with Art. 2(h) DPD or, now, Art. 6(1)(a) GDPR, if the storage of information, or access to information already stored in the user's terminal equipment, is permitted by way of a pre-selected checkbox which the user must deselect to refuse his or her consent? Secondly, what information does the service provider have to give, according to Art. 5(3) ePrivacy Directive, within the scope of the provision of clear and comprehensive information to the user -and does this include the duration of the operation of the cookies and whether third parties are given access to the cookies? Thirdly, when information is stored or accessed in accordance with Art. 5(3) ePrivacy Directive, does it make a difference whether or not this information constitutes personal data under data protection law?
2 Decision of the Court

Consent by Means of a Pre-Selected Checkbox?
It is not surprising that the ECJ ruled in response to the first question that a preselected checkbox which the user must deselect to refuse his or her consent does not constitute valid consent for the data processing envisaged by Planet49.

Reasoning of the Court
The ECJ's primary line of argumentation is that active behaviour on the part of the user is necessary for valid consent. 9 Thus, a pre-selected checkbox does not suffice. This is convincing and holds true under the DPD and the GDPR. In terms of methodology, the ECJ's interpretation of the relevant statutes is of a literal and a historical nature.
The starting point of this assessment is the wording of the first sentence of Art. 5(3) ePrivacy Directive: 7 Ibid., para. 28.
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the DPD], inter alia, about the purposes of the processing.
Article 2(f) ePrivacy Directive links the ePrivacy Directive to the DPD. The term ''consent'' under the ePrivacy Directive refers to the definition contained in Art. 2(h) DPD. Pursuant to Art. 94(2) GDPR, this link now refers to the GDPR's definition of consent in Art. 4(11) GDPR.
Firstly, the ECJ refers, by means of a literal interpretation, to the wording of Art. 5(3) ePrivacy Directive. This provision does not directly state how consent should be granted, but still implies that the act of granting consent is an active one (''given his or her consent''). 10 This is supported by Recital 17, which lists ''ticking a box when visiting an Internet website'', an active behaviour, by way of example in the context of the granting of consent. This finding is complemented by Art. 2(h) DPD, where consent is defined as a ''freely given specific and informed indication'' of the data subject's wishes. Use of the term ''indication'' indeed implies active behaviour. Also, consent must be given ''unambiguously''. 11 This is only possible when the user takes action (as opposed to remaining passive). Under the GDPR, the legal situation is defined in an even clearer manner. According to Art. 4(11) GDPR, consent means ''any (…) indication of the data subject's wishes (…) by a statement or by a clear affirmative action (…)''. The term ''clear affirmative action'' strongly suggests active behaviour on the part of the user. In casu, Recital 32 GDPR provides a killer argument, declaring that ''[s]ilence, pre-ticked boxes or inactivity should not (…) constitute consent.'' This interpretation 12 of Art. 4(11) GDPR barely leaves any doubt that the pre-selected checkbox did not constitute valid consent.
This line of reasoning is supported by means of a historical interpretation. The initial 2002 ePrivacy Directive demanded in its Art. 5(3) that the user ''is provided with clear and comprehensive information in accordance with [the DPD] (…) and is offered the right to refuse such processing''. This opt-out approach was replaced in 2009, whereas now the user must have ''given his or her consent''. This deliberate change of wording shows that consent now must result from an (active) opt-in, as opposed to the opt-out solution in place before. 13 2.1.2 Between-the-Line-Implications on Art. 7(2) GDPR Inthe following, it will be argued that the ECJ's decision on Art. 5(3) ePrivacy Directive is convincing, even though the Court failed to explicitly address one question worthy of note (regarding the interpretation of Art. 7(2) GDPR), which is decisive for the matter 10 Case C-673/17, Planet49, 1 October 2019, ECLI:EU:C:2019:801, para. 49. 11 Art. 7(a) DPD. 12 Recitals are not supposed to have an autonomous legal effect, but rather serve as a tool to interpret the corresponding provisions in the binding part of the respective legal act; Baratta (2014), pp. 302-303. 13 Case C-673/17, Planet49, 1 October 2019, ECLI:EU:C:2019:801, para. 56. in dispute and for future cases. Still, based on what has not been said, Planet49 can be of value for the interpretation of Art. 7(2) GDPR and for further defining the conditions for the granting of valid consent in online environments.
The ECJ has been criticised 14 for not discussing and solving the present case under Art. 7(2) GDPR, which reads: If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The underlying idea of this argument is as follows: Art. 7(2) GDPR takes for granted that consent can be given as part of a ''written declaration which also concerns other matters''. 15 The most common scenario would probably be a demand for consent contained in terms and conditions, whereas the latter also refers to other subject matter (such as delivery time and costs, warranty issues, etc.). In the case at hand, one might argue that the button and the two checkboxes combined represent such a declaration. Consequently, the behaviour on the part of the user might, arguably, be considered active. She has to actively click the button in order to participate in the lottery, which could be considered an indication of agreeing with the text next to the second checkbox. This might be enough to assume an ''affirmative action'' under Art. 4(11) GDPR.
Blame can be laid on the ECJ for not openly mentioning, let alone discussing, Art. 7(2) GDPR, as this line of argumentation is rather obvious and might also be invoked by other data controllers in similar situations. Yet, the way the Court argues implies that it was aware of this statute, but simply found that the overall conditions for valid consent were not given. This finding is correct, for different reasons, andeven though every case calls for individual assessment -provides valuable general implications for the assessment of the validity of consent.
Firstly, the underlying rationale of Art. 7(2) GDPR is to protect data subjects by making sure, through formal requirements, that the request for consent is made in a visually transparent and intellectually understandable manner. 16 Put differently, the statute does not aim at lowering the threshold for the giving of valid consent, but at raising and specifying the level of protection instead. This is in line with the ECJ's argument that ''the fact that a user selects the button to participate in the promotional lottery organised by that company cannot (…) be sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.'' 17 The Court argues that the consent given in the case at hand was not ''specific'' enough according to Art. 4(11) GDPR. 18 With a view to the design of the website 14 Hanloser (2019), pp. 560-561. 15 The term ''written declaration'' includes statements given by electronic means (Recital 32 GDPR). presented to the users, this is convincing. A ''declaration which also concerns other matters'' should not serve as a means of circumventing the safeguards that lawmakers wanted to put in place. At the same time, the Court's arguing underlines that Art. 7(2) GDPR draws a fine, delicate line between valid and invalid consent. The ECJ fortunately did not follow the Advocate General (AG), who argued that ''participation in the online lottery and the giving of consent (…) cannot form part of the same act.'' 19 This approach would render Art. 7(2) GDPR (de facto) void and create unnecessary obstacles to the granting of consent. 20 Thus, had the text on the button, for instance, made clear reference to the data protection implications given, clicking it would have included specific, valid consent. 21 Secondly, the ECJ's reasoning confirms that for a meaningful assessment, it is imperative to consider all provisions relevant, in particular Arts. 4(11), 6(1)(a) and 7 GDPR. These statutes must be read in conjunction and with a view to the corresponding Recitals when assessing the validity of consent in a given case. 22 The user's viewpoint is to be taken, without unduly dividing what is presented to him in an artificial manner. In the present case, this means that the complete oeuvre of items shown to users by Planet49 must be assessed in its entirety and with the abovementioned statutes' telos in mind. It is obvious that a user clicking the button would like to participate in the lottery. Yet, it is convincing when the ECJ implicitly argues that this act of clicking is neither an ''unambiguous indication'' of his or her wishes nor a ''clear affirmative action'' with a view to the extensive online tracking envisaged by Planet49. Clicking the button has nothing to do per se with the granting of consent to the processing of personal data. Users just want to participate in the lottery. Thus, assuming a ''specific'' indication of a wish to consent to the processing of their personal data seems too far-fetched. 23 This is also underlined by the basic rationale of Recital 32, that ''[s]ilence, pre-ticked boxes or inactivity should not (…) constitute consent.'' Accordingly, one should not argue that all kinds of active behaviour suffice per se. Rather, a holistic assessment of the individual circumstances must find that the way in which consent is granted reflects the GDPR's spirit in that it must be given actively. One might argue 24 that the second checkbox actually increases the user's freedom. She is able to deny consent but still participate in the lottery, which could imply ''freely given'' consent (Art. 4(11) GDPR). But judging from the disputed website's layout, a free, deliberate choice can be doubted. The requirement to actively tick the first checkbox suggests, from a user's point of view, that the second checkbox must be left ticked as well. Put differently, a user must get the impression that if it is necessary to tick the first box, she will not be able to proceed without leaving the second box checked all the more. 25

Informational Duties
In response to the second question, the ECJ ruled that Art. 5(3) ePrivacy Directive must be interpreted ''as meaning that the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.'' 26 This is (mostly) true under the DPD and the GDPR.
Article 5(3) ePrivacy Directive demands that the user be ''provided with clear and comprehensive information, in accordance with [the DPD]''. Article 10 DPD lists the information to be provided in a non-exhaustive (''at least'') manner. With a view to the extensive amount of profiling made possible by tracking, 27 the ECJ's interpretation that the duration of the operation of cookies must be provided is convincing. Under the GDPR, this discussion is obsolete, as the information has to be provided anyway. 28 In addition, under Arts. 10(c) DPD and 13(1)(e) GDPR, the recipients or categories of recipients of the data must be provided.
Two points are noteworthy. 29 Firstly, as regards third-party data sharing, it is not clear whether, according to the ECJ, the service provider would also be obliged to inform users about the fact that data are not shared with third parties (''whether or not third parties may have access'' 30 ). Under the GDPR, it would be rather difficult to argue for an obligation this far-reaching. 31 Article 13(1)(e) GDPR states that ''the controller shall (…) provide the data subject with all of the following information: (…) the recipients or categories of recipients of the personal data, if any''. 32 This wording implies that an informational duty only exists when there are third-party recipients in the first place. With a view to the present case, this discussion is an academic one, as setting cookies in the context of an advertising network is barely possible without third-party data sharing. But for other data controllers, 33 it makes a difference whether they always have to inform if third-party recipients exist. Secondly, the ECJ did not discuss whether consent is only ''informed'' (Art. 4(11) GDPR) when the data controller has complied with the informational duties arising from Arts. 13-14 GDPR. One might argue that a user is only capable of giving truly 25 AG Szpunar argues, based on the premise that users were not informed that the second checkbox can be unticked, that no ''informed'' (Art. 4(11) GDPR) consent was given ( informed consent when she has received all the information pursuant to these statutes. Yet, the answer to this question is quite foreseeable, as Recital 42 implies differently: ''For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.'' The small amount of information to be provided ''at least'' suggests that informed consent can be given even if the data controller does not comply with all her informational duties. 34 2.3 ''Information'' under Art. 5(3) ePrivacy Directive The ECJ found that in the context of Art. 5(3) ePrivacy Directive, it makes no difference whether the information stored or accessed constitutes personal data under the DPD or GDPR. 35 This is correct. The ePrivacy Directive chose not to use the term ''personal data'' in its Art. 5(3), but in many other instances, and its Recital 24 makes clear that the private sphere of users can be threatened through ''spyware, web bugs, hidden identifiers and other similar devices'' that do not necessarily qualify as personal data. 36 The term information is broader than personal data. This means that protection under the ePrivacy Directive is given at an earlier point in time than under the DPD and the GDPR. Information flows are (partially) regulated, no matter if they represent personal data or not. In online contexts, once enough information stored on the terminal equipment of a user is collected and combined, its legal qualification might ''tip'' and it might be qualified as personal data under data protection legislation. 37 This in turn means that all the GDPR safeguards and obligations apply. 38 The ''pivot point'' is reached, as a rule of thumb, with identifiability of the natural person. 39 The legal qualification of information might change during the course of time for different reasons. 40 This renders data protection compliance 34 The same outcome is reached by Art. 29 Working Party (2018), p. 15 andby Buchner andKühling in Kühling andBuchner (2018), Art. 7, para. 59. 35 Case C-673/17, Planet49, 1 October 2019, ECLI:EU:C:2019 The term personal data is defined in Arts. 2(a) DPD and 4(1) GDPR. 37 It has been proven in various contexts that sometimes very few pieces of information suffice to establish a link to the identity of a natural person. Cf. Sweeney (2000), p. 1 who found that ''combinations of few characteristics often combine in populations to uniquely or nearly uniquely identify some individuals. (…) It was found that 87% (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on [their 5-digit ZIP code, gender and date of birth].'' 38 The GDPR is only applicable when personal data are processed: Art. 2(1) GDPR. The processing of mere information does not suffice. On the distinction between the terms privacy and data protection, cf. Kokott and Sobotta (2013) passim. 39 Cf. Art. 4(1) GDPR: Personal data might be given no matter if the person they relate to is identified or identifiable, whereby the latter ''is one who can be identified, directly or indirectly (…)''. Also see Recital 30 GDPR: The association of natural persons with online identifiers ''may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.'' 40 For instance, see Recital 26 GDPR: ''To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments'' (emphasis added). cumbersome, as could be witnessed in the notorious Breyer decision. 41 The responsibility to assess if personal data are given (or not yet given) lies with the data controller.
In sum, Art. 5(3) ePrivacy Directive can be seen as part of a two-step protection regime: privacy implications stemming from the processing of information are partially tackled (only) under the ePrivacy Directive, while data protection implications stemming from the processing of personal data fall, in addition, under the GDPR.

Further Thoughts
It is unfortunate that the ECJ was not asked to decide whether the German Telemedia Act, Sec. 15 (3) is compatible with Art. 5(3) ePrivacy Directive. This national statute ''authorises a service provider to establish user profiles through pseudonyms for purposes of advertising, market analysis, or configuration of electronic media, provided that the user does not object and the service provider has informed the user of his or her right of refusal (…).'' 42 This opt-out solution (''does not object'') is in clear-cut contradiction to the opt-in requirement contained in Art. 5(3) ePrivacy Directive (''has given his or her consent''). 43 In its request for a preliminary ruling, the German Federal Supreme Court indicated that an interpretation of Sec. 15(3) Telemedia Act in line with the ePrivacy Directive would be possible. 44 This approach is questionable, as this interpretation would run entirely counter to the wording of the national statute. Also, a direct application of Art. 5(3) ePrivacy Directive is not possible, as Directives cannot create obligations for individuals. 45 With a view to the primacy of EU law, the lesser dogmatic evil would probably be not to apply Sec. 15(3) Telemedia Act at all. This has also been suggested by the Datenschutzkonferenz, which is a joint body of the data protection authorities of the German federal and state governments. 46 Consequently, this would mean that in Germany, the cases which are supposed to fall under Sec. 15(3) Telemedia Act would fall instead under the GDPR. This leads to various dogmatic questions, e.g. whether a data controller (who would like to establish user profiles) could rely not only on consent, 47 but alternatively on its legitimate interests as legal basis: Art. 6(1)(f) GDPR. 48 An apparently incoherent picture would become manifest. The scope of application of Art. 5(3) ePrivacy Directive is broad, referring to information, whereas the GDPR only covers personal data processing. Yet, the former legal regime strictly demands consent, whereas the latter is more flexible by also providing a legal basis (legitimate interests) that can be applied without user consent. This shows that the ePrivacy Directive is not only part of the two-step protection regime pictured above, but also lex specialis to the GDPR. Thus, Art. 6(1)(f) GDPR should not be accepted as the legal basis for the placing of cookies, as this runs counter to the rationale of the ePrivacy Directive's opt-in solution. This is in line with the reasoning of the ECJ (in a different context) that ''the interpretation of a provision of EU law requires that account be taken not only of its wording and the objectives it pursues, but also of its legislative context and the provisions of EU law as a whole''. 49 Hence, in the context discussed here, Art. 6(1)(f) GDPR should be interpreted in line with Art. 5(3) ePrivacy Directive to the effect that legitimate interests are regularly not given. 50 Apart from that, a protection gap resulting from Germany's legislative inaction still exists, taken that the GDPR only covers the processing of personal data, whereas Art. 5(3) ePrivacy Directive covers all sorts of information. 51 These questions might become obsolete as a revision of the Telemedia Act is now under consideration. Delivery of the judgment of the German Federal Supreme Court has been scheduled for 28 May 2020. It remains to be seen whether the Court will be able to undo the Gordian knot pictured above.