This blogpost will deal with Technology for ePrivacy requirements.
Let´s start with the Planet 49 case and the issue of cookie consent and what the Advocate General says:
Consent is required for any cookie !
The Advocate General makes it clear:
How to identify cookies on a website
Signatu Trackerdetect is a paid service that companies can sign up to and use to identify cookies on their site, and use Signatu Consent Solution to request user consent for cookies.
This is the offering to manage 3rd parties on websites:
Let´s use Signatu Trackerdetect to identify cookies on the homepage of a popular GERMAN NEWSPAPER.
Signatu Trackerdetect´s analysis of the homepage carried out on April 8, 2019 3:07 PM shows the following cookies:
Signatu Trackerdetect can also identify whether a cookie is set by a 3rd party.
Validity of cookie consent
What does the Advocate General in the Planet 49 case say about validity of cookie consent?
He says:
Active consent: Consent is invalid if checkbox is pre-ticked
What does the Advocate General in the Planet 49 case say about validity of cookie consent if a checkbox is pre-ticked?
He says:
Also, the the Advocate General says:
First, requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable.
Secondly and more importantly, the participation in the online lottery and the giving of consent to the installation of cookies cannot form part of the same act. But this is precisely the case in the present proceedings. In the end, a user only effectuates one click on the participation button in order to participate in the lottery. At the same time he consents to the installation of cookies. Two expressions of intention (participation in the lottery and consent to the installation of cookies) are made at the same time. These two expressions cannot both be subject to the same participation button. Indeed, in the present case, the consenting to the cookies appears ancillary in nature, in the sense that it is in no way clear that it forms part of a separate act. Put differently, (un)ticking the checkbox on the cookies appears like a preparatory act to the final and legally binding act which is ‘hitting’ the participation button.
In such a situation, a user is not in a position to freely give his separate consent to the storing of information or the gaining of access to information already stored, in his terminal equipment.
Moreover, it has been established above that participation in the lottery was only possible if at least the first checkbox had been ticked. As a consequence, participation in the lottery was not conditional (48) upon giving consent to the installation of and gaining access to cookies. For a user might as well have clicked the first checkbox (only).
But, to the best of my knowledge, at no point was the user informed of this. This does not meet the criteria on fully informing users established above.
In summary, my proposed answer to Question 1(a) and c) is that there is no valid consent within the meaning of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, in a situation such as that of the main proceedings where the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent and where consent is given not separately but at the same time as confirmation in the participation in an online lottery. The same goes for the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 4, point 11, of Regulation 2016/679.
Separate consent: Cookie consent is invalid if it is bundled with other expressions of intentions
What does the Advocate General in the Planet 49 case say about validity of cookie consent if the consent request is bundled with other expressions of intentions?
He says:
Clear and comprehensive cookie consent information
What does the Advocate General in the Planet 49 case say about how to inform users in cookie consent requests?
He says:
Information to users to enable users to determine the consequences of cookie consent
What does the Advocate General in the Planet 49 case say about how the quality of information in cookie consent requests?
He says:
Information on the duration of the operation of the cookies
What does the Advocate General in the Planet 49 case say about the information in cookie consent requests regarding its duration of operation??
He says:
Information on third party access to cookies
What does the Advocate General in the Planet 49 case say about the information in cookie consent requests regarding third party access to cookies?
He says:
A critique of the Advocate General: Can a third party access a cookie that a website sets? No. Only the website can access a cookie that itself sets on a user machine/browser. However, if that website has a third party embedded on its site, that third party can access cookies it previously stored on the user machine/browser.
So, how do you ask for consent to set a cookie on a user machine/browser?
Coming up later ... :-)