Language of document : ECLI:EU:C:2019:246

OPINION OF ADVOCATE GENERAL

SZPUNAR

delivered on 21 March 2019(1)

Case C673/17

Planet49 GmbH

v

Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.

(Request for a preliminary ruling from the Bundesgerichtshof (Federal Court of Justice, Germany))

(Preliminary reference — Directive 95/46/EC — Directive 2002/58/EC — Regulation (EU) 2016/679 — Processing of personal data and protection of privacy in the electronic communications sector — Cookies — Concept of consent of the data subject — Declaration of consent by means of a pre-selected checkbox)






I.      Introduction

1.        In order to participate in a lottery organised by Planet49, an internet user was confronted with two checkboxes which had to be clicked or unclicked before he could hit the ‘participation button’. One of the checkboxes required the user to accept being contacted by a range of firms for promotional offers, another checkbox required the user to consent to cookies being installed on his computer. These are, in a nutshell, the facts of the present order for reference from the Bundesgerichtshof (Federal Court of Justice, Germany).

2.        Beneath these seemingly benign facts lie fundamental issues of EU data protection law: what precisely are the requirements of informed consent which is to be freely given? Is there a difference as regards the processing of personal data (only) and the setting of and access to cookies? Which legal instruments are applicable?

3.        In this Opinion I shall argue that, as regards the current case, the requirements for giving consent are the same under Directive 95/46/EC (2) and Regulation (EU) 2016/679 (3) and that there is, in the case at issue, no difference whether we are dealing with the general question of processing of personal data or the more particular one of storing of and gaining access to information by way of cookies.

II.    Legal framework

A.      EU law

1.      Directive 95/46

4.        Article 2 of Directive 95/46, headed ‘Definitions’, provides:

‘For the purposes of this Directive:

(h)      “the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’

5.        Within Section II of that directive, entitled ‘Criteria for Making Data Processing Legitimate’, Article 7 provides under point (a):

‘Member States shall provide that personal data may be processed only if:

(a)      the data subject has unambiguously given his consent; or

…’

6.        Article 10 of the same directive, headed ‘Information in cases of collection of data from the data subject’, provides as follows:

‘Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:

(a)      the identity of the controller and of his representative, if any;

(b)      the purposes of the processing for which the data are intended;

(c)      any further information such as

–        the recipients or categories of recipients of the data,

–        whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,

–        the existence of the right of access to and the right to rectify the data concerning him

in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.’

2.      Directive 2002/58/EC (4)

7.        Recitals 24 and 25 of Directive 2002/58/EC (5) state the following:

‘(24)      Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

(25)      However, such devices, for instance so-called “cookies”, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46 about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user’s terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.’

8.        Article 2 of that directive, headed ‘Definitions’, provides, under point (f):

‘Save as otherwise provided, the definitions in Directive 95/46 and in Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) [(6)] shall apply.

The following definitions shall also apply:

(f)      “consent” by a user or subscriber corresponds to the data subject’s consent in Directive 95/46;

…’

9.        Article 5(3) of that directive, that article being headed ‘Confidentiality of the communications’, provides:

‘Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’

3.      Directive 2009/136/EC (7)

10.      Recital 66 of Directive 2009/136/EC (8) states:

‘Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.’

4.      Regulation 2016/679

11.      Recital 32 of Regulation 2016/679 states:

‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.’

12.      Article 4, point (11), of that regulation, that article being headed ‘Definitions’, provides:

‘For the purposes of this Regulation:

(11)      “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

…’

13.      Article 6 of the same regulation, headed ‘Lawfulness of processing’, provides:

‘1.      Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)      the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

...’

14.      Article 7 of Regulation 2016/679 is headed ‘Conditions for consent’. According to Article 7(4), ‘[w]hen assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract’.

B.      German law

1.      The German Civil Code

15.      Article 307 (9) of the Bürgerliches Gesetzbuch (German Civil Code, the ‘BGB’) provides:

‘(1)       Provisions in standard business terms are ineffective if, contrary to the requirement of good faith, they unreasonably disadvantage the other party to the contract with the user. An unreasonable disadvantage may also arise from the provision not being clear and comprehensible.

(2)       An unreasonable disadvantage is, in case of doubt, to be assumed to exist if a provision

1.      is not compatible with essential principles of the statutory provision from which it deviates, or

2.      limits essential rights or duties inherent in the nature of the contract to such an extent that attainment of the purpose of the contract is jeopardised.

(3)       Subsections (1) and (2) above, and articles 308 and 309 apply only to provisions in standard business terms on the basis of which arrangements derogating from legal provisions, or arrangements supplementing those legal provisions, are agreed. Other provisions may be ineffective under subsection (1) sentence 2 above, in conjunction with subsection (1) sentence 1 above.’

2.      The Law against Unfair Competition

16.      The Gesetz gegen den unlauteren Wettbewerb (Law against Unfair Competition, the ‘UWG’) prohibits commercial practices which constitute unacceptable nuisance to a market participant. Article 7(2) of the UWG provides, under point (2), that ‘[a]n unacceptable nuisance shall always be assumed in the case of … advertising by means of a telephone call, made to a consumer without his prior express consent, or made to another market participant without at least the latter’s presumed consent’.

3.      The Telemedia Act

17.      Article 12(1) of the Telemediengesetz (Telemedia Act, the ‘TMG’) transposes Article 7(a) of Directive 95/46 and sets forth the conditions under which a service provider is authorised to collect and use personal data for electronic media purposes. Under that article, a service provider is entitled to collect and use personal data for electronic media purposes only if the TMG or another legal instrument expressly governing electronic media authorises it, or if the user consents.

18.      Article 12(3) of the TMG provides that the legislation in force governing personal data must be applied even if data does not undergo automatic processing.

19.      Article 13(1) of the TMG requires the service provider to inform the user at the beginning of usage, on the nature, extent, and purpose of the processing of personal data as well as the processing of data beyond the scope of Directive 95/46.

20.      Article 15(1) of the TMG provides that service providers can collect and process personal data only if necessary for media use online or for the purposes of issuing an invoice relating to this use (‘user data’). User data is defined as inter alia data allowing for the identification of users.

21.      Article 15(3) of the TMG transposes Article 5(3) of Directive 2002/58 and authorises a service provider to establish user profiles through pseudonyms for purposes of advertising, market analysis, or configuration of electronic media, provided that the user does not object and the service provider has informed the user of his or her right of refusal, in accordance with the obligation to provide information under Article 13(1) of the TMG.

4.      The Federal Law on Data Protection

22.      Article 3(1) of the Bundesdatenschutzgesetz (Federal Law on Data Protection, the ‘BDSG’) (10) transposes Article 2(a) of Directive 95/46 and defines the term ‘personal data’ as data relating to the personal or factual circumstances of an identified or identifiable natural person.

23.      Article 4a of the BDSG transposes into national law Article 2(h) of Directive 95/46, and provides that consent is only valid if it arises from the free choice of concerned persons.

III. Facts, procedure and questions referred for a preliminary ruling

24.      On 24 September 2013, Planet49 GmbH organised a promotional lottery at the web address www.dein-macbook.de. (11) To participate in the lottery, an internet user was required to enter his postcode, which prompted a page containing input fields for the user’s name and address. Beneath the input fields for the address were two sets of explanatory text accompanied by checkboxes. I shall hereafter refer to them as ‘first checkbox’ and ‘second checkbox’. The first explanatory text, the checkbox for which did not contain a pre-selected tick, read:

‘I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sector. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here.’

25.      The second explanatory text, which was given a pre-selected tick, read:

‘I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, Planet49 GmbH, sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on a user’s interests. I can delete the cookies again at any time. You can read more about this here.’

26.      Participation in the lottery was only possible if at least the first checkbox had been ticked.

27.      The electronic link associated with the words ‘sponsors and cooperation partners’ and ‘here’ in the first explanatory text led to a list which contained 57 companies, their addresses, the commercial sector to be advertised and the method of communication used for the advertising (email, post or telephone), as well as the underlined word ‘Unsubscribe’ after each company. The following statement preceded the list:

‘By clicking on the “Unsubscribe” link, I am deciding that no advertising consent is permitted to be granted to the partner/sponsor in question. If I have not unsubscribed from any or a sufficient number of partners/sponsors, Planet49 will choose partners/sponsors for me at its discretion (maximum number: 30 partners/sponsors).’

28.      When the electronic link associated with the word ‘here’ in the second explanatory text was clicked on, the following information was displayed:

‘The cookies named ceng_cache, ceng_etag, ceng_png and gcr are small files which are stored in an assigned manner on your hard disk by the browser you use and by means of which certain information is supplied which enables more user-friendly and effective advertising. The cookies contain a specific randomly generated number (ID), which is at the same time assigned to your registration data. If you then visit the website of an advertising partner which is registered for Remintrex (to find out whether a registration exists, please consult the advertising partner’s data protection declaration), Remintrex automatically records, by virtue of an iFrame which is integrated there, that you (or the user with the stored ID) have visited the site, which product you have shown interest in and whether a transaction was entered into.

Subsequently, Planet49 GmbH can arrange, on the basis of the advertising consent given during registration for the lottery, for advertising emails to be sent to you which take account of your interests demonstrated on the advertising partner’s website. After revoking the advertising consent, you will of course not receive any more email advertising.

The information communicated by these cookies is used exclusively for the purposes of advertising in which products of the advertising partner are presented. The information is collected, stored and used separately for each advertising partner. User profiles involving multiple advertising partners will not be created under any circumstances. The individual advertising partners do not receive any personal data.

If you have no further interest in using the cookies, you can delete them via your browser at any time. You can find a guide in your browser’s help function.

No programs can be run or viruses transmitted by means of the cookies.

You of course have the option to revoke this consent at any time. You can send the revocation in writing to PLANET49 GmbH [address]. However, an email to our customer services department [email address] will also suffice.’

29.      The applicant in the main proceedings, the Bundesverband der Verbraucherzentralen (Federation of German Consumer Organisations, the ‘Bundesverband’) is registered on the list of qualified entities pursuant to the Gesetz über Unterlassungsklagen bei Verbraucherrechts- und anderen Verstößen (Law relating to injunctions in the case of breaches of consumer law and of other laws, ‘the UKlaG’). According to the Bundesverband, the aforementioned declarations of consent used by Planet49 did not satisfy the requirements set forth in Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG. A warning notice served prior to court proceedings produced no result.

30.      The Bundesverband instituted proceedings before the Landgericht Frankfurt am Main (Regional Court, Frankfurt am Main, Germany) requesting Planet49 to stop using the abovementioned clauses (12) and to order that company to pay to it the sum of EUR 214 plus interest from 15 March 2014.

31.      The Landgericht Frankfurt am Main (Regional Court, Frankfurt am Main) allowed certain claims to proceed and dismissed the remainder of the application. Further to an appeal on the merits (13) before the Oberlandesgericht Frankfurt am Main (Higher Regional Court, Frankfurt am Main, Germany), the Bundesgerichtshof (Federal Court of Justice) was seised by way of an appeal on a point of law. (14)

32.      The Bundesgerichtshof (Federal Court of Justice) considers that the success of the appeal on a point of law hinges on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679 and has referred the following questions to the Court of Justice for a preliminary ruling:

‘(1)      (a)      Does it constitute a valid consent within the meaning of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his consent?

(b)      For the purposes of the application of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, does it make a difference whether the information stored or accessed constitutes personal data?

(c)      In the circumstances referred to in Question 1(a), does a valid consent within the meaning of Article 6(1)(a) of Regulation 2016/679 exist?

(2)      What information does the service provider have to give within the scope of the provision of clear and comprehensive information to the user that has to be undertaken in accordance with Article 5(3) of Directive 2002/58? Does this include the duration of the operation of the cookies and the question of whether third parties are given access to the cookies?’

33.      The order for reference was received by the Court on 30 November 2017. Written observations were lodged by Planet49, the Bundesverband, the Portuguese and Italian Governments and the European Commission. A hearing was held on 13 November 2018, which was attended by Planet49, the Bundesverband, the German Government and the Commission.

IV.    Assessment

34.      Both questions referred by the Bundesgerichtshof (Federal Court of Justice) for a preliminary ruling relate to the giving of consent to the storing of information, and the gaining of access to information already stored in the user’s terminal equipment, that is to say to cookies, in the specific context of the provisions of Directive 2002/58, read in conjunction with those of Directive 95/46 or Regulation 2016/679.

35.      By way of preliminary remarks, I deem it helpful to provide factual clarification on the phenomenon of cookies and related terminology as well as legal clarification on the applicable legal instruments to the case at issue.

A.      Preliminary remarks

1.      On cookies

36.      A cookie is a way of collecting information generated by a website and saved by an internet user’s browser. (15) It is a small piece of data or text file, usually less than one Kbyte in size, that a website asks an internet user’s browser to store on the local hard disk of the user’s computer or mobile device. (16)

37.      A cookie allows the website to ‘remember’ the user’s actions or preferences over time. Most web browsers support cookies, but users can set their browsers to decline them. They can also delete them whenever they like. Indeed, many users set their cookie settings in their browsers to automatically delete cookies by default when the browser window is closed. That said, empirical evidence overwhelmingly demonstrates that people rarely change default settings, a phenomenon which has been coined ‘default inertia’. (17)

38.      Websites use cookies for the purposes of identifying users, remembering their custom preferences and allowing users to complete tasks without having to re-enter information when browsing from one page to another or when visiting the site later.

39.      Cookies can also be used to collect information for online behaviour target advertising and marketing. (18) Companies, for example, use software to track user behaviour and build personal profiles, which allows users to be shown advertisements relevant to a user’s previous searches. (19)

40.      There are different types of cookies, some of which are classified according to the cookie’s lifespan (e.g. session cookies and persistent cookies) and others of which are based on the domain to which the cookie belongs (e.g. first-party and third-party cookies). (20) When the web server supplying the webpage stores cookies on the user’s computer or mobile device, they are known as ‘http header’ cookies. (21) Another way of storing cookies is through JavaScript code contained or referenced in that page. (22) The validity of consent to the placement of cookies and the applicability of any relevant exemptions, however, should be evaluated based on the purpose of the cookie rather than the technical features. (23)

2.      On the applicable legal instruments

41.      The legislative framework applicable to the main proceedings has evolved over the years, leading up to, most recently, the entry into force of Regulation 2016/679.

42.      Two sets of EU legal instruments are applicable to the case at issue. First, Directive 95/46 and Regulation 2016/679. Secondly, Directive 2002/58, as amended by Directive 2009/136. (24)

43.      I should like to make two observations with respect to these two sets of instruments.

44.      The first observation relates to the applicability of Directive 95/46 and Regulation 2016/679.

45.      Regulation 2016/679, which has been applicable since 25 May 2018, (25) repealed Directive 95/46 with effect from the same date. (26)

46.      This date of 25 May 2018 post-dates the last hearing before the referring court of 14 July 2017 and indeed also the date of 5 October 2017 when the present case was referred to the Court of Justice for a preliminary ruling.

47.      Ergo, for situations before 25 May 2018, the applicable law is Directive 2002/58 in combination with Directive 95/46, while for situations as from 25 May 2018, it is Directive 2002/58 in combination with Regulation 2016/679.

48.      Insofar as the Bundesverband wishes, with the injunction sought, (27) to prevent Planet49 from behaving as it has in the future, Regulation 2016/679 is applicable in the present case. In its decision on the injunction claim for the future, the Bundesgerichtshof (Federal Court of Justice) will therefore have to take into account the requirements of Regulation 2016/679. In this connection, the German Government points to consistent national case-law on the relevant legal situation in actions for injunctions. (28)

49.      As a consequence, the question referred must therefore be answered having regard to both Directive 95/46 and Regulation 2016/679. (29)

50.      Moreover, it should be noted that references in Directive 2002/58 to Directive 95/46 are to be construed as references to Regulation 2016/679. (30)

51.      The second observation relates to the evolution of Article 5(3) of Directive 2002/58.

52.      Directive 2002/58 seeks to ensure full respect for the rights set forth in the Charter of Fundamental Rights of the European Union, and in particular, in Articles 7 and 8 thereof. (31) Article 5 of this directive aims to ensure the ‘confidentiality of communications’. In particular, Article 5(3) regulates the use of cookies and lays down the requirements which must be satisfied before data can be stored or accessed on a user’s computer via the setting of a cookie.

53.      Directive 2009/136 introduced significant changes to the consent requirements under Article 5(3) of Directive 2002/58 in order to enhance user protection. Before the amendments instituted by that directive, Article 5(3) merely required that users be given an informed ‘opt-out’ from data processing via cookies. In other words, according to the original version of Article 5(3), when storing information on the user’s terminal equipment or gaining access to information stored there, the service provider had to provide the user with clear and comprehensive information in particular about the purpose of the processing and offer the user the right to refuse such processing.

54.      Directive 2009/136 replaced this requirement to inform about the right to refuse with the requirement that ‘the subscriber or user concerned has given his or her consent’, meaning that it replaced the easier to satisfy informed opt-out system with an informed opt-in system. Subject to a very limited exception which does not apply to the present case, (32) the use of cookies under the revised Article 5(3) of Directive 2002/58 is permitted only if the user has given consent after being provided with clear and comprehensive information in accordance with Directive 95/46 about why his or her data is being tracked, that is to say, the purposes of the processing. (33)

55.      As will be seen in more detail below, the scope of the requirement to provide information under Article 5(3) of Directive 2002/58 lies at the heart of the issue in dispute, particularly in the context of default settings for online activities.

B.      Question 1

56.      By its Question 1(a), the referring court enquires whether it constitutes a valid consent within the meaning of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 if the storage of information, or the access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent. In this connection, the referring court wonders if it makes a difference whether the information stored or accessed constitutes personal data (Question 1(b)). Finally, the referring court would like to know if in the circumstances described above, a valid consent exists within the meaning of Article 6(1)(a) of Regulation 2016/679 (Question 1(c)).

1.      On freely given and informed consent 

57.      A feature underlying EU data protection law is that of consent.

58.      Before turning to the specific issue of cookies, I should like to establish general principles deriving from the applicable legal instruments on the giving of consent.

(a)    Under Directive 95/46

(1)    Active consent

59.      I infer from the provisions of Directive 95/46 that consent needs to be manifested in an active (34) manner.

60.      Article 2(h) of Directive 95/46 refers to an indication of the data subject’s wishes, which clearly points to active, rather than passive, behaviour. In addition to this, Article 7(a) of Directive 95/46, which deals with the criteria for making (personal) data processing legitimate, stipulates that the data subject has unambiguously given his consent. Again, ambiguity can only be removed with active, as opposed to passive, behaviour.

61.      I infer from this that it is not sufficient in this respect if the user’s declaration of consent is pre-formulated and if the user must actively object when he does not agree with the processing of data.

62.      Indeed, in the latter situation, one does not know whether such a pre-formulated text has been read and digested. The situation is not unambiguous. A user may or may not have read the text. He may have omitted to do so out of pure negligence. In such a situation, it is not possible to establish whether consent has been freely given.

(2)    Separate consent

63.      Closely linked to the requirement of active consent is that of separate consent. (35)

64.       One could argue, as does Planet49, that a valid consent is given on the part of the data subject, not when he does not unclick a pre-formulated declaration of consent but when he actively ‘clicks’ on the participation button for the online lottery.

65.      I do not subscribe to such an interpretation.

66.      For consent to be ‘freely given’ and ‘informed’, it must not only be active, but also separate. The activity a user pursues on the internet (reading a webpage, participating in a lottery, watching a video, etc.) and the giving of consent cannot form part of the same act. In particular, from the perspective of the user, the giving of consent cannot appear to be of an ancillary nature to the participation in the lottery. Both actions must, optically in particular, be presented on an equal footing. As a consequence, it appears to me doubtful that a bundle of expressions of intention, which would include the giving of consent, would be in conformity with the notion of consent under Directive 95/46.

(3)    Obligation to fully inform

67.      In this context, it must be made crystal-clear to a user whether the activity he pursues on the internet is contingent upon the giving of consent. A user must be in a position to assess to what extent he is prepared to give his data in order to pursue his activity on the internet. There must be no room for any ambiguity whatsoever. (36) A user must know whether and, if so, to what extent his giving of consent has a bearing on the pursuit of his activity on the internet.

(b)    Under Regulation 2016/679

68.      The principles established above are equally valid for Regulation 2016/679.

69.      Article 4, point 11, of Regulation 2016/679 defines consent of the data subject as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

70.      It should be noted that this definition is stricter than that of Article 2(h) of Directive 95/46 in that it requires an unambiguous indication of the data subject’s wishes and a clear affirmative action signifying agreement to the processing of personal data.

71.      Furthermore, the recitals of Regulation 2016/679 are particularly illuminating. Because I shall make extensive reference to the recitals, (37) I feel compelled to recall that they obviously do not have any independent legal value, (38) but that the Court frequently resorts to them in interpreting provisions of an EU legal act. In the EU legal order they are descriptive and not prescriptive in nature. Indeed, the question of their legal value does not normally arise for the simple reason that, typically, the recitals are reflected in the legal provisions of a directive. Good legislative practice by the political institutions of the EU tends to aim at a situation in which the recitals provide a useful background to the provisions of a legal text. (39)

72.      Pursuant to recital 32 of Regulation 2016/679, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

73.      Active consent is now, therefore, expressly provided for by Regulation 2016/679.

74.      Moreover, recital 43 of that regulation states that in order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

75.      The need for separate consent is therefore now stressed explicitly in this recital.

(c)    Under Directive 2002/58 – the case of cookies

76.      Pursuant to Article 5(3) of Directive 2002/58, Member States are to ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46, inter alia, about the purposes of the processing.

77.      This provision does not establish any further criteria as regards the notion of consent.

78.      However, the recitals of Directive 2002/58 and Directive 2009/136 provide guidance on consent with respect to cookies.

79.      Thus, recital 17 of Directive 2002/58 indicates that consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an internet website. (40)

80.      Moreover, Recital 66 of Directive 2009/136 explains the paramount importance of users being provided with clear and comprehensive information when engaging in any activity which could result in storage of information on the equipment of a user or gaining of access to information already stored and that the methods of providing information and offering the right to refuse should be as user-friendly as possible.

81.      In this connection, I should also like to point to the non-binding but nevertheless enlightening work of the ‘Article 29’ Data Protection Working Party (‘the “Article 29” Working Party’), (41) according to which consent implies a prior affirmative action from the users towards accepting the storage of the cookie and the use of the cookie. (42) That same working party reveals that the notion of ‘indication’ implies the need for action. (43) Other elements of the definition of consent, and the additional requirement in Article 7(a) of Directive 95/46 for consent to be unambiguous, support this interpretation. (44) The requirement that the data subject must ‘signify’ his or her consent indicates that simple inaction is insufficient and that some sort of action is required to constitute consent, although different kinds of actions, to be assessed ‘in context’, are possible. (45)

2.      Application to the case at issue

82.      I should now like to apply these criteria to the case at issue. In doing so, I shall first turn to Question 1(a) and (c), that is to say the question whether there has been valid consent concerning the setting of and the access to the cookies. This covers the second checkbox.

83.      Furthermore, given that, as has just been established, the requirements for consent do not greatly differ as regards cookies and, more generally, processing of personal data, for the sake of both completeness and clarity, even though the referring court does not explicitly enquire about this issue, for the correct and uniform interpretation of EU law, I do deem it necessary to briefly analyse whether there has been a valid consent concerning the processing of personal data in the context of the first checkbox. I also understand that in the context of the proceedings before it, the Bundesgerichtshof (Federal Court of Justice) will have to rule on the first checkbox. (46)

(a)    The second checkbox - Question 1(a) and (c)

84.      The referring court enquires whether it constitutes a valid consent within the meaning of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent.

85.      The crucial terms of Article 2(h) of Directive 95/46 and of Article 4, point 11, of Regulation 2016/679 for the purposes of this question are ‘freely given’ and ‘informed’. The question arises whether, in a situation as described by the referring court, consent can be given freely and in an informed manner.

86.      Planet49 thinks this to be the case. All other parties (47) disagree. In this context, the legal debate of the parties primarily focused on whether the ticking or unticking of a checkbox containing an already pre-selected tick satisfies these requirements. The debate turns around the question of activity and passivity. However, this aspect, important as it is, constitutes only a part of the requirements. For it only addresses the requirement of active, but not that of separate, consent.

87.      In my view, on the basis of the criteria established above, the answer is that there is no valid consent in the case at issue.

88.      First, requiring a user to positively untick a box and therefore become active if he does not consent to the installation of cookies does not satisfy the criterion of active consent. In such a situation, it is virtually impossible to determine objectively whether or not a user has given his consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable.

89.      Secondly and more importantly, the participation in the online lottery and the giving of consent to the installation of cookies cannot form part of the same act. But this is precisely the case in the present proceedings. In the end, a user only effectuates one click on the participation button in order to participate in the lottery. At the same time he consents to the installation of cookies. Two expressions of intention (participation in the lottery and consent to the installation of cookies) are made at the same time. These two expressions cannot both be subject to the same participation button. Indeed, in the present case, the consenting to the cookies appears ancillary in nature, in the sense that it is in no way clear that it forms part of a separate act. Put differently, (un)ticking the checkbox on the cookies appears like a preparatory act to the final and legally binding act which is ‘hitting’ the participation button.

90.      In such a situation, a user is not in a position to freely give his separate consent to the storing of information or the gaining of access to information already stored, in his terminal equipment.

91.      Moreover, it has been established above that participation in the lottery was only possible if at least the first checkbox had been ticked. As a consequence, participation in the lottery was not conditional (48) upon giving consent to the installation of and gaining access to cookies. For a user might as well have clicked the first checkbox (only).

92.      But, to the best of my knowledge, at no point was the user informed of this. This does not meet the criteria on fully informing users established above.

93.      In summary, my proposed answer to Question 1(a) and c) is that there is no valid consent within the meaning of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, in a situation such as that of the main proceedings where the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent and where consent is given not separately but at the same time as confirmation in the participation in an online lottery. The same goes for the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 4, point 11, of Regulation 2016/679.

(b)    The first checkbox

94.      Although the questions of the referring court refer to the second checkbox only, I should like to make two specific remarks with respect to the first checkbox, which may assist the referring court in its final decision.

95.      To recall, the first checkbox does not deal with cookies but only with the processing of personal data. Here, a user agrees not to having information stored on his equipment but (merely) to being contacted by a list of firms by post, telephone or email.

96.      First, the criteria on active and separate consent and full information obviously also apply with respect to the first checkbox. Active consent does not appear to pose a problem, since the checkbox is not pre-ticked. By contrast, I have some doubts about separate consent. On the basis of the analysis above, (49) with respect to the facts to the present case, it would be better if, figuratively speaking, there were a separate button to be clicked, (50) rather than merely a box to be ticked, in order to consent to the processing of personal data.

97.      Secondly, as regards the first checkbox on the contact by sponsors and cooperation partners, regard should be had to Article 7(4) of Regulation 2016/679. Pursuant to this provision, when assessing whether consent is freely given, utmost account is to be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Article 7(4) of Regulation 2016/679, therefore, now codifies a ‘prohibition on bundling’. (51)

98.      As transpires from the terms ‘utmost account shall be taken of’, the prohibition on bundling is not absolute in nature. (52)

99.      Here, it will be for the competent court to assess whether the consent to the processing of personal data is necessary for the participation in the lottery. In this respect it should be kept in mind that the underlying purpose in the participation in the lottery is the ‘selling’ of personal data (i.e. agreeing to be contacted by so-called ‘sponsors’ for promotional offers). In other words, it is the providing of personal data which constitutes the main obligation of the user in order to participate in the lottery. In such a situation it appears to me that the processing of this personal data is necessary for the participation in the lottery. (53)

3.      On personal data (Question 1(b))

100. I should now like to examine whether, for the purposes of the application of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it makes a difference whether the information stored or accessed constitutes personal data.

101. This question is best understood against the background of German law transposing Article 5(3) of Directive 2002/58. (54) In fact, German law establishes a difference between the collection and use of personal data and other data.

102. Pursuant to Article 12(1) of the TMG, a service provider may collect and use personal data only if, among other things, the user has consented to it. 

103. By contrast, according to Article 15(3) of the TMG, a service provider may create user profiles through pseudonyms, inter alia, for the purposes of advertising and market research, provided the user does not object to this. Ergo, in so far as no personal data are involved, the requirement is less strict under German law: not consent, but merely non-objection.

104. Personal data is legally defined in Article 4, point 1, of Regulation 2016/679 as ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

105. I think it is beyond doubt that, as far as the case at issue is concerned, the ‘information’ referred to in Article 5(3) of Directive 2002/58 constitutes ‘personal data’. This too appears to be the view of the referring court, which explicitly states in its order for reference that the accessing of data from the cookies used by the defendant is subject to the requirement for consent under Article 12(1) of the TMG because the data in question here are personal data. (55) Moreover, it does not appear to be disputed between the parties in the main proceedings that we are dealing here with personal data.

106. One may therefore wonder about the relevance of this question for the case at issue and whether the question is not hypothetical. (56)

107. Be that as it may, I think the answer to this question is pretty straightforward: it makes no difference whether the information stored or accessed constitutes personal data. Article 5(3) of Directive 2002/58 refers to the ‘storing of information, or the gaining of access to information already stored’. (57) It is clear that any such information has a privacy aspect to it, regardless of whether it constitutes ‘personal data’ within the meaning of Article 4, point 1, of Regulation 2016/679 or not. As the Commission rightly stresses, Article 5(3) of Directive 2002/58 aims to protect the user from interference with his or her private sphere, regardless of whether that interference involves personal data or other data.

108. Such an understanding of Article 5(3) of Directive 2002/58 is, moreover corroborated by recitals 24 (58) and 25 (59) of that directive as well as Opinions of the ‘Article 29’ Working Party.  Indeed, according to this Working Party, ‘Article 5(3) applies to “information” (stored and/or accessed). It does not qualify such information. It is not a prerequisite for the application of this provision that this information is personal data within the meaning of Directive 95/46’. (60)

109. As a consequence, it does appear as if Article 15(3) of the TMG does not fully transpose the requirements of Article 5(3) of Directive 2002/58 into German law. (61)

110. I therefore propose to reply to Question 1(b) that for the purposes of the application of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46 it makes no difference whether the information stored or accessed constitutes personal data.

C.      Question 2

111. By the second question, the referring court would like to know what information the service provider has to give within the scope of the requirement to provide clear and comprehensive information to the user in accordance with Article 5(3) of Directive 2002/58 and whether this includes the duration of the operation of the cookies and the question of whether third parties are given access to the cookies.

1.      On clear and comprehensive information

112. Articles 10 and 11 of Directive 95/46 (and Articles 13 and 14 of Regulation 2016/679) set out an obligation to provide information to data subjects. The obligation to inform is linked to consent in that there must always be information before there can be consent.

113. Given the conceptual proximity of an internet user (and provider) to that of a consumer (and trader), (62) one can resort at this stage to the concept of the average European consumer who is reasonably well informed and reasonably observant and circumspect (63) and who is able to take the decision to make an informed commitment. (64)

114. However, due to the technical complexity of cookies, the asymmetrical information between provider and user and, more generally, the relative lack of knowledge of any average internet user, the average internet user cannot be expected to have a high level of knowledge of the operation of cookies.

115. Thus, clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed so as to enable the user to comprehend the functioning of the cookies actually resorted to.

116. This includes, as the referring court rightly suggests, both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies.

2.      Information on the duration of the operation of the cookies

117. By virtue of recitals 23 and 26 of Directive 2002/58, the duration of the operation of cookies is an element of the requirement for informed consent, meaning that service providers should ‘always keep subscribers informed of the types of data they are processing and the purposes and duration for which it is done’. Even if the cookie is essential, the question of how intrusive it is must be examined against the surrounding circumstances for consent purposes. In addition to asking what data each cookie holds and whether it is linked to any other information held about the user, service providers must consider the lifespan of the cookie and whether this lifespan is appropriate in light of the cookie’s purpose.

118. The duration of the operation of cookies relates to the explicit informed consent requirements regarding the quality and accessibility of information to users. This information is vital to enable individuals to make informed decisions prior to the processing. (65) As submitted by the Portuguese and Italian Governments, since data collected by cookies must be eliminated once it is no longer necessary to achieve the original purpose, it follows that the time period for storage of data collected must be clearly communicated to the user.

3.      Information on third-party access

119. Here, Planet49 contends that if third parties gain access to a cookie, users must also be informed of this. However, if, as in the case at issue, only a provider who wishes to set the cookie has access to the cookie, it is sufficient to draw attention to this fact. The fact that other third parties have no access does not have to be pointed out separately. Such an obligation would not be compatible with the legislative intention that the data protection texts should remain user-friendly and concise.

120. I cannot subscribe to such an interpretation. Rather, for information to be clear and comprehensive, a user should be explicitly informed whether third parties have access to the cookies set or not. And if third parties have access, their identity must be disclosed. As the Bundesverband rightly stresses, this is indispensable in order to ensure that informed consent is given.

4.      Result

121. I therefore propose to reply to the second question that the clear and comprehensive information a service provider has to give to a user, under Article 5(3) of Directive 2002/58, includes the duration of the operation of the cookies and the question of whether third parties are given access to the cookies or not.

V.      Conclusion

122. In the light of the foregoing considerations, I propose that the Court answer the questions referred by the Bundesgerichtshof (Federal Court of Justice, Germany) as follows:

(1)      There is no valid consent within the meaning of Articles 5(3) and 2(f) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), read in conjunction with Article 2(h) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data in a situation such as that of the main proceedings where the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-ticked checkbox which the user must deselect to refuse his consent and where consent is given not separately but at the same time as confirmation in the participation in an online lottery.

(2)      The same goes for the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 4, point 11, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation).

(3)      For the purposes of the application of Articles 5(3) and 2(f) of Directive 2002/58 in conjunction with Article 2(h) of Directive 95/46, it makes no difference whether the information stored or accessed constitutes personal data.

(4)      The clear and comprehensive information a service provider has to give to a user, under Article 5(3) of Directive 2002/58, includes the duration of the operation of the cookies and the question of whether third parties are given access to the cookies or not.


1      Original language: English.


2      Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).


3      Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data Protection Regulation) (OJ 2016 L 119, p. 1).


4      Often termed the ‘E-Privacy Directive’.


5      Directive of the European Parliament and of the Council of 12  July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ 2002 L 201, p. 37), as amended by Directive 2009/136/EC of the European Parliament and of the Council, of 25 November 2009 (OJ 2009 L 337, p. 11).


6      OJ 2002 L 108, p. 33.


7      Often termed the ‘cookie Directive’.


8      Directive of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58 and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (OJ L 2009 L 337, p. 11). The normative content of Directive 2009/136 is therefore now contained in the latter directives as well as the mentioned Regulation, as amended (and, as regards the present case, in Article 5(3) of Directive 2002/58), which is the reason why in the present case, only a recital of Directive 2009/136 is cited.


9      I am well aware that, strictly speaking, one should be referring to ‘paragraphs’ (§) and not articles. Indeed, in Germany the latter are rarely resorted to and if so then only in very fundamental texts, such as the Basic Law. For ease of reference, however, I shall be referring to ‘articles’ throughout.


10      It should be pointed out that this is the previous version of the BDSG of 20 December 1990, as amended, and not the current version of 30 June 2017.


11      An idea of what the actual website looked like can be obtained here: https://web.archive.org/web/20130902100750/http:/www.dein-macbook.de:80/.


12      And other clauses not relevant to the case at issue.


13      ‘Berufung’.


14      ‘Revision’.


15      See also Opinion of Advocate General Bot in Wirtschaftsakademie Schleswig-HolsteinWirtschaftsakademie Schleswig-Holstein (C‑210/16, EU:C:2017:796, point 5).


16      See Lynskey, O., ‘Track[ing] changes: an examination of EU Regulation of online behavioural advertising through a data protection lens’, European Law Review, Sweet & Maxwell, 2011, pp. 874-886, at pp. 875-876.


17      See Lynskey, O., ibid., at p. 878.


18      See, in general, Clifford, D., ‘EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster – Tracking the crumbs of online user behaviour’, Journal of Intellectual Property, Information Technology and Electronic Commerce Law, 2014, pp. 195-196.


19      See http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm.


20      See Clifford, D., ibid., pp. 195-196.


21      See http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm


22      See http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm


23      See, for example, Opinion 04/2012 on Cookie Consent Exemption adopted by the ‘Article 29’ Working Party on 7 June 2012 (00879/12/EN, WP 194, p. 12).


24      To complete the picture, one might add that Directive 2002/58 had also been amended by Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58 (OJ 2006 L 105, p. 54). However, firstly, as transpires from Article 11 of Directive 2006/24, that amendment was minor and only concerned one article of Directive 2002/58 and, secondly and more importantly, Directive 2006/24 has in the meantime been declared invalid; see judgment of 8 April 2014, Digital Rights Ireland and Others (C‑293/12 and C‑594/12, EU:C:2014:238, paragraph 71).


25      Pursuant to Article 99(2) of Regulation 2016/679.


26      See Article 94(1) of Regulation 2016/679.


27      In German: ‘Unterlassungsanspruch’.


28      See Bundesgerichtshof, 23 February 2016, XI ZR 101/15, point II.1., Neue Juristische Wochenschrift (NJW), 2016, p. 1881: Insofar as the plaintiff’s application for injunctive relief is directed towards the future, claims for injunctive relief the legal basis of which has changed in the course of the legal proceedings are to be examined by the appellate court under consideration of the current legal situation, even if the legal amendment only entered into force after the conclusion of the oral hearing of the second instance or in the course of the appeal proceedings. See also Bundesgerichtshof, 13 July 2004, KZR 10/03, point I., Gewerblicher Rechtsschutz und Urheberrecht (GRUR), 2004, p. 62.


29      In relation to the applicability of Directive 95/46 and Regulation 2016/679 in the context of a Feststellungsklage under German procedural law, see judgment of 16 January 2019, Deutsche Post (C‑496/17, EU:C:2019:26, paragraph 39), and Opinion of Advocate General Campos Sánchez-Bordona in Deutsche Post (C‑496/17, EU:C:2018:838, point 32): ‘It is for the national court to interpret its national procedural law, on which the Court of Justice will not give a ruling. Consequently, if it is of the view that the domestic rules require the dispute to be resolved, ratione temporis, in accordance with Regulation 2016/679 rather than Directive 95/46, the Court of Justice must provide it with an interpretation of the former rather than the latter.’


30      See Article 94(2) of Regulation 2016/679.


31      See, in general, recital 2.


32      The requirement for consent does not prevent the storage or access pursuant to the second sentence of Article 5(3) of Directive 2002/58 if the sole purpose is the carrying out of the transmission of a communication over an electronic communications network, or if storage or access is strictly necessary in order to provide the user with an information society service explicitly requested by him. In the present case, the storage or accessing of the information is not technically necessary within the meaning of the second sentence of Article 5(3) of Directive 2002/58, but rather is used for advertising purposes; therefore the exception to the requirement for consent does not apply.


33      See also Bond, R., ‘The EU E-Privacy Directive and Consent to Cookies’, The Business Lawyer, Vol. 68, No. 1, American Bar Association, November 2012, p. 215.


34      Instead of employing the pair of the terms ‘active’ and ‘passive’, one could also refer to the terms ‘explicit’ and ‘implicit’.


35      Strictly speaking, the requirement of separate consent already embodies the requirement for active consent. Because only if the consent criterion applies separately, can it not be ‘slipped-in’ by way of pre-selected settings.


36      This is not to say that the participation in a lottery cannot be made contingent upon consent. However, that consent must be separate and the user must be duly informed. I will come back to this point below.


37      And because I have already referred to recitals of Directives 2002/58 and 2009/136 above.


38      Judgments of 19 November 1998, Nilsson and Others (C‑162/97, EU:C:1998:554, paragraph 54); of 24 November 2005, Deutsches Milch-Kontor (C‑136/04, EU:C:2005:716, paragraph 32); and Opinion of Advocate General Ruiz-Jarabo Colomer in TeliaSonera Finland (C‑192/08, EU:C:2009:309, paragraphs 87 to 89).


39      See also my Opinion in Joined Cases X and VisserX and Visser (C‑360/15 and C‑31/16, EU:C:2017:397, point 132).


40      See second sentence of recital 17 of Directive 2002/58.


41      This is an advisory body set up pursuant to Article 29 of Directive 95/46. With the entry into force of Regulation 2016/679, the ‘Article 29’ Working Party was replaced by the European Data Protection Board (see Articles 68 and 94(2) of Regulation 2016/679).


42      See Opinion 2/2010 on online behavioural advertising, adopted by the ‘Article 29’ Working Party, on 22 June 2010 (00909/10/EN, WP 171, p. 16, point 4.1.3.).


43      Opinion 15/2011 on the definition of consent adopted by the ‘Article 29’ Working Party on 13 July 2011 (01197/11/EN, WP 187, p. 12).


44      Opinion 15/2011 on the definition of consent adopted by the ‘Article 29’ Working Party on 13 July 2011 (01197/11/EN, WP 187, p. 12).


45      Opinion 15/2011 on the definition of consent adopted by the ‘Article 29’ Working Party on 13 July 2011 (01197/11/EN, WP 187, p. 12).


46      This point, which already results from the order for reference, was explicitly confirmed by the Bundesverband during the hearing, pursuant to a question from the Court.


47      That is to say, the Bundesverband, the German, Italian and Portuguese Governments as well as the Commission.


48      See Article 7(4) of Regulation 2016/679.


49      See, in particular, point 66 of this Opinion.


50      A button such as the participation button.


51      In German terminology: ‘Kopplungsverbot’, see, among many, Ingold, A., in G. Sydow (ed.), Europäische Datenschutzgrundverordnung, Handkommentar, Nomos, Baden-Baden, 2017, Artikel 7, point 30.


52      See Heckmann, D., Paschke, A., in E. Ehmann, M. Selmayr (ed.), DS-GVO (Datenschutz-Grundverordnung), Kommentar, C.H. Beck, Munich, 2017, Artikel 7, point 53.


53      See in this sense also Buchner, J., Kühling, B., in J. Buchner, B. Kühling (eds), Datenschutz-Grundverordnung/BDSG, Kommentar, 2nd ed. 2018, C.H. Beck, Munich, Artikel 7 DS-GVO, point 48.


54      As amended by Directive 2009/136.


55      See point 24 of the order for reference.


56      Indeed, during the hearing the representative of the Bundesverband pointed out that a clarification of the Court with respect to Question 1(b) would be most helpful given a dispute in German legal doctrine on the question whether Article 15(3) of the TMG is in conformity with EU law or not.


57      My emphasis.


58      See Legal framework, above.


59      Ibid.


60      See Opinion 2/2010 on online behavioural advertising, adopted by the ‘Article 29’ Working Party on 22 June 2010 (00909/10/EN, WP 171, p. 9, point 3.2.1). In a similar vein, it is stated in Opinion 2/2013 on apps on smart devices, adopted by the ‘Article 29’ Working Party, on 27 February 2013 (00461/13/EN, WP 202, p. 7, point 3.1), that ‘the consent requirement of Article 5(3) applies to any information, without regard to the nature of the data being stored or accessed. The scope is not limited to personal data; information can be any type of data stored on the device’.


61      To be precise: the requirements of Directive 2009/136 amending, inter alia, Directive 2002/58.


62      On the terminology in the area of consumer protection, see Article 2 of Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (OJ 2011 L 304, p. 64).


63      This being the classical terminology employed by the Court to describe the average European consumer. See, by way of example, judgments of 7 August 2018, Verbraucherzentrale BerlinVerbraucherzentrale Berlin (C‑485/17, EU:C:2018:642, paragraph 44); of 7 June 2018, Scotch Whisky Association (C‑44/17, EU:C:2018:415, paragraph 47); and of 16 July 1998, Gut Springenheide and TuskyGut Springenheide and TuskyGut Springenheide and TuskyGut Springenheide and Tusky (C‑210/96, EU:C:1998:369, paragraph 31).


64      See Opinion of Advocate General Saugmandsgaard Øe in slewo (C‑681/17, EU:C:2018:1041, point 55).


65      Opinion 15/2011 on the definition of consent, adopted by the ‘Article 29’ Working Party on 13 July 2011 (01197/11/EN, WP 187, p. 37).