Consent in online contexts - the German Federal Court of Justice’s decision on Planet49 and Facebook

05-2020

Cookie banners – Marketing consent – Enforcing claims for GDPR non-compliance.
The German Federal Court of Justice’s decision on Planet49 (file number I ZR 7/16) and Facebook (file number I ZR 186/17).

Requests for all sorts of consent dominate digital life, however, the design of consent forms vary greatly. Some websites work with elaborate cookie banners, other only provide rudimentary information and consent is “assumed” rather than obtained.

Today, the German Federal Court of Justice (“FCJ”) handed down two important cases concerning consent, the use of cookies and the enforcement of claims under the GDPR by third parties(see the press releases available here  and here – so far only press announcements of the decisions are available in German).

Planet49 (also called “Cookie Consent II” decision)

With its first decision today, following the Planet49 decision of the European Court of Justice (“CJEU”) (please refer to our summary of this decision for more details), the FCJ ruled on the requirements that must be met to obtain valid cookie consent. The court held that:

  • Section 15 para. 3 of the German Tele Media Act (“TMG”), which provides a statutory basis for the use of cookies, must be interpreted in line with ePrivacy Directive;
  • Using cookies for marketing or market intelligence purposes generally requires the user consent;
  • This applies irrespective of whether cookies collect personal data or not;
  • Consent must be given through active confirmation by the user. Pre-checked checkboxes neither suffice under the German Tele Media Act, nor under the GDPR; and
  • To satisfy the requirement of an informed consent, information must be detailed, but may not be excessive, as overwhelming amounts of information prevent that users effectively take not of the information they are provided with.

Facebook

The decision in the second proceedings against Facebook, was suspended today, as the FCJ referred the case to CJEU. The CJEU was asked to clarify whether EU law allows Member State law, which enables competitors and consumer protection associations to enforce civil law claims based on incompliance with the GDPR.

“Active confirmation”– Decision in the Planet49 proceedings (so-called “Cookie Consent II” decision)

Planet49, being the defendant in this case, had held a raffle which was available on Planet49’s website. When registering for the raffle, participants were asked to consent (1) to the use of cookies, and (2) to receiving marketing calls, text messages e-mails and regular mail. In both cases, Planet49 used check-boxes to obtain consent. While the checkbox to obtain cookie consent was pre-checked, the checkbox for obtaining marketing consent was not. However, users were only able to participate in the raffle if at least one of the checkboxes was checked.

Proceedings against Planet49 were commenced by the Federation of German Consumer Organizations (in German: Bundesverband der Verbraucherzentralen) against both these options to obtain consent. The FCJ initially suspended the proceedings and consulted the CJEU on the interpretation of EU law.

On October 1, 2019 the CJEU clarified that, among other things, consent cannot be validly obtained through pre-checked check-boxes and this constituted a failure to meet the requirements of the ePrivacy Directive (C-673/17 - Planet49). The court clarified that pre-checked check-boxes were not sufficient to comply with the Data Protection Directive (the GDPR’s predecessor) and that the CJEU’s ruling meant this remained true under the GDPR.

As expected, the ruling handed by the FCJ down today confirmed that under German law consent is not validly obtained by way of pre-checked check-boxes that participants must un-check, if they do not want cookies to be used. The court held that Section 15 para. 3 of the TMG, which provides a statutory basis for the use of cookies when pseudonyms are used and the participant does not object, must be interpreted in line with Article 5 para. 3 sentence 1 of the ePrivacy Directive, such that the use of cookies to create user profiles for advertising or market research purposes requires the users’ explicit consent.

Notably, the court clarified that this consent was mandatory irrespective of whether the data collected through the cookies qualified as personal data.

While the decision takes a clear stance on the formal requirements for consent, the FCJ did not decide if and when using cookies requires consent, where cookie data is used for the purposes of advertising and market research (at least such decision was not included in the press statement) . Even after this decision, website providers may continue to use cookies based on statutory provisions such as legitimate interest, provided the requirements of the respective statutory provision are met. Therefore, at least functionality and technically necessary cookies (e.g. to authenticate users or to provide a shopping basket function) may continue to be used on the website providers’ legitimate interest.

Informed consent” – Decision in the Planet49 proceedings (“Cookie Consent II” decision)

In their Cookie Consent II decision, the FCJ further clarified the requirements that must be met for the consent to constitute informed consent. Planet49 had tried to obtain the participants’ consent to be contacted for marketing purposes via phone, text message, regular mail or e-mail by Planet49’s sponsors and cooperation partners. To obtain this consent, Planet49 did not rely on a pre-checked checkbox, but instead the generic consent text linked to a list of 57 companies, asking participants to decide on a company-by-company basis whose marketing communication they wanted to receive. Where no choice was made, Planet49 would decide on behalf of the participant.

The FCJ held that this setup did not constitute informed consent, which required (1) that participants were aware of what they were consenting to, and (2) which products and services were covered by their consent. These requirements, the court held, cannot be met by presenting users with excessive options to chose from. Such excessive options would only cause users to abstain from reviewing the information they are presented with and avoid making a decision. Planet49 could not rely on the decision they made on the users’ behalf in cases where the user failed to make a decision. This decision, the court held, was neither actively given, nor informed, as the users were overwhelmed by the choices they were presented with and there did not take proper note of the information they were given.

Competitors and consumer protection associations claims for GDPR infringements - Decision in the Facebook proceedings

In their second landmark decision on the requirements under the GDPR, the FCJ was asked to rule on the requirements of informed consent in the context of online games Facebook makes available to users through its app center. The FCJ did not rule on the questions at hand, but suspended proceedings, asking the CJEU for a preliminary ruling on whether the GDPR precludes Member State laws, which enable third party legal actions, namely giving competitors and consumer protection associations the option to initiate civil law actions against companies infringing the GDPRThis question is highly disputed both in the German courts and in German legal literature. Those against giving competitors and consumer protection associations standing in court at times argue that the GDPR exclusively regulates this aspect. However, those in favor argue that the GDPR did not intend to exclusively regulate this aspect and that competitors and consumer protection associations are entitled to bring claims under German laws outside the GDPR. In 2019 the CJEU ruled in favor of the competitors’ and consumer protection associations’ standing, however, this ruling needs to be read in light of the Data Protection Directive and does not confirm, if its findings continue to apply under the GDPR. This is what the CJEU now has to rule on.