Cookie banners – Marketing consent – Enforcing claims for GDPR non-compliance.
Requests for all sorts of consent dominate digital life, however, the design of consent forms vary greatly. Some websites work with elaborate cookie banners, other only provide rudimentary information and consent is “assumed” rather than obtained.
The German Federal Court of Justice’s decision on Planet49 (file number I ZR 7/16) and Facebook (file number I ZR 186/17).
Planet49 (also called “Cookie Consent II” decision)
With its first decision today, following the Planet49 decision of the European Court of Justice (“CJEU”) (please refer to our summary of this decision for more details), the FCJ ruled on the requirements that must be met to obtain valid cookie consent. The court held that:
- Using cookies for marketing or market intelligence purposes generally requires the user consent;
- This applies irrespective of whether cookies collect personal data or not;
- Consent must be given through active confirmation by the user. Pre-checked checkboxes neither suffice under the German Tele Media Act, nor under the GDPR; and
- To satisfy the requirement of an informed consent, information must be detailed, but may not be excessive, as overwhelming amounts of information prevent that users effectively take not of the information they are provided with.
The decision in the second proceedings against Facebook, was suspended today, as the FCJ referred the case to CJEU. The CJEU was asked to clarify whether EU law allows Member State law, which enables competitors and consumer protection associations to enforce civil law claims based on incompliance with the GDPR.
“Active confirmation”– Decision in the Planet49 proceedings (so-called “Cookie Consent II” decision)
Proceedings against Planet49 were commenced by the Federation of German Consumer Organizations (in German: Bundesverband der Verbraucherzentralen) against both these options to obtain consent. The FCJ initially suspended the proceedings and consulted the CJEU on the interpretation of EU law.
On October 1, 2019 the CJEU clarified that, among other things, consent cannot be validly obtained through pre-checked check-boxes and this constituted a failure to meet the requirements of the ePrivacy Directive (C-673/17 - Planet49). The court clarified that pre-checked check-boxes were not sufficient to comply with the Data Protection Directive (the GDPR’s predecessor) and that the CJEU’s ruling meant this remained true under the GDPR.
Notably, the court clarified that this consent was mandatory irrespective of whether the data collected through the cookies qualified as personal data.
Informed consent” – Decision in the Planet49 proceedings (“Cookie Consent II” decision)
In their Cookie Consent II decision, the FCJ further clarified the requirements that must be met for the consent to constitute informed consent. Planet49 had tried to obtain the participants’ consent to be contacted for marketing purposes via phone, text message, regular mail or e-mail by Planet49’s sponsors and cooperation partners. To obtain this consent, Planet49 did not rely on a pre-checked checkbox, but instead the generic consent text linked to a list of 57 companies, asking participants to decide on a company-by-company basis whose marketing communication they wanted to receive. Where no choice was made, Planet49 would decide on behalf of the participant.
The FCJ held that this setup did not constitute informed consent, which required (1) that participants were aware of what they were consenting to, and (2) which products and services were covered by their consent. These requirements, the court held, cannot be met by presenting users with excessive options to chose from. Such excessive options would only cause users to abstain from reviewing the information they are presented with and avoid making a decision. Planet49 could not rely on the decision they made on the users’ behalf in cases where the user failed to make a decision. This decision, the court held, was neither actively given, nor informed, as the users were overwhelmed by the choices they were presented with and there did not take proper note of the information they were given.
Competitors and consumer protection associations claims for GDPR infringements - Decision in the Facebook proceedings
In their second landmark decision on the requirements under the GDPR, the FCJ was asked to rule on the requirements of informed consent in the context of online games Facebook makes available to users through its app center. The FCJ did not rule on the questions at hand, but suspended proceedings, asking the CJEU for a preliminary ruling on whether the GDPR precludes Member State laws, which enable third party legal actions, namely giving competitors and consumer protection associations the option to initiate civil law actions against companies infringing the GDPRThis question is highly disputed both in the German courts and in German legal literature. Those against giving competitors and consumer protection associations standing in court at times argue that the GDPR exclusively regulates this aspect. However, those in favor argue that the GDPR did not intend to exclusively regulate this aspect and that competitors and consumer protection associations are entitled to bring claims under German laws outside the GDPR. In 2019 the CJEU ruled in favor of the competitors’ and consumer protection associations’ standing, however, this ruling needs to be read in light of the Data Protection Directive and does not confirm, if its findings continue to apply under the GDPR. This is what the CJEU now has to rule on.