The AG’s Opinion on box ticking and consent: Planet49 GmbH Case 673/17

March 25, 2019

The Advocate General has issued an opinion in Case 673/17 (the Planet49 case). In his opinion, he argued that requirements for giving consent are the same under Directive 95/46/EC and Regulation (EU) 2016/679 and that there was no difference between the general question of processing of personal data or the more particular one of storing of and gaining access to information by way of cookies.


To participate in Planet49’s lottery, an individual had to click or unclick two checkboxes before they could take part. One of the checkboxes required the user to accept being contacted by a range of organisations for promotions, another checkbox required the user to consent to cookies being installed on their computer. 

The following questions were referred to the Court of Justice of the European Union:

  • Does it constitute a valid consent if the storage of information, or access to information already stored in the user’s computer, is permitted by a pre-checked checkbox which the user must deselect to refuse their consent?
  • Does it make a difference whether the information stored or accessed is personal data?
  • Does a valid consent within the meaning of Article 6(1)(a) of Regulation 2016/679 exist?
  • What information does the service provider have to give within the scope of the provision of clear and comprehensive information to the user? Does this include the duration of the operation of the cookies and the question of whether third parties are given access to the cookies?

Requirements for consent

The AG set out the requirements for valid consent under Directive 95/46/EC – it must be active, it must be separate and there is an obligation to fully inform.  He said that it was not sufficient if the user’s declaration of consent is pre-formulated and if the user must actively object when they do not agree with the data processing. He went on to say that in the latter situation, one does not know whether such a pre-formulated text has been read and digested. The situation is not unambiguous. A user may or may not have read the text. He or she may have omitted to do so out of pure negligence. In such a situation, it is not possible to establish whether consent has been freely given. 

For consent to be ‘freely given’ and ‘informed’, it must not only be active, but also separate. The activity a user pursues on the internet and the giving of consent cannot form part of the same act. In particular, from the user’s perspective, giving consent cannot appear to be of an ancillary nature to the participation in the lottery. Both actions must, visually in particular, be presented equally. The AG doubted if a bundle of expressions of intention, which would include the giving of consent, would conform with the legislation.

In this context, it must be made crystal-clear to a user if the online activity depends on consent. A user must be able to assess to what extent they are prepared to provide their data to pursue the online activity. There must be no room for ambiguity. A user must know whether and, if so, to what extent, their consent has a bearing on their being able to pursue to the online activity.

These principles apply equally to the GDPR, although the requirements of the GDPR are stricter. Active consent is a requirement and the need for separate consent is stressed in Recital 43.


Users must give their consent, having been provided with clear and comprehensive information, about the purposes of the processing. Recital 17 of Directive 2002/58 indicates that consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting a website. 

Recital 66 of Directive 2009/136 explains the paramount importance of users being provided with clear and comprehensive information when engaging in any activity which could result in storage of information on the equipment of a user or gaining access to information already stored and that the methods of providing information and offering the right to refuse should be as user-friendly as possible. 

The Advocate General also referred to the Article 29 Working Party guidance which says consent implies a prior affirmative action from the users towards accepting the storage of the cookie and the use of the cookie. The notion of ‘indication’ implies the need for action.

Decision of the Advocate General

Second check box

The consent was not valid. First, requiring a user to positively untick a box and therefore become active if they do not consent to cookies does not satisfy the criterion of active consent. In such a situation, it is virtually impossible to objectively decide if a user has given their consent on the basis of a freely given and informed decision. By contrast, requiring a user to tick a box makes such an assertion far more probable.

Secondly and more importantly, taking part in the online lottery and the giving of consent to cookies cannot form part of the same act. However, this was exactly what had happened in this case. A user only clicked on the participation button to take part in the lottery while simultaneously consenting to cookies. Two expressions of intention were made at the same time. These two expressions cannot both be subject to the same participation button. Indeed, in this case, consenting to the cookies appeared ancillary in nature, in the sense that it was in no way clear that it formed part of a separate act. 

In such a situation, a user is not in a position to freely give their separate consent to storing information or gaining access to information already stored in their equipment.

Further, it was only possible to take part in the lottery if at least the first checkbox had been ticked. As a consequence, participation in the lottery was not conditional upon giving consent to the installation of and gaining access to cookies, as a user might as well have clicked the first checkbox (only).

However, the user was not informed of this at any point, so the criteria on fully informing users was not met.

First checkbox

The referring court had to make a decision about the first checkbox. However, the Advocate General observed:

  1. Active consent did not appear to pose a problem, since the checkbox was not pre-ticked. However, there were doubts about separate consent. The AG thought it would be better if there were a separate button to be clicked, rather than a box to be ticked, to consent to data processing.
  2. The court must assess if consent to the processing of personal data is necessary to take part in the lottery. The underlying purpose in taking part in the lottery is ‘selling’ personal data (ie agreeing to be contacted by so-called ‘sponsors’ for promotional offers). In other words, it is providing personal data which constitutes the main obligation of the user to take part in the lottery. The AG thought in these circumstances that processing of personal data was required to take part in the lottery.

Personal data

It makes no difference whether the information stored or accessed constitutes personal data. Article 5(3) of Directive 2002/58 aims to protect the user from interference with his or her private sphere, regardless of whether that interference involves personal data or other data. 

Information to be provided

Clear and comprehensive information implies that a user is in a position to be able to easily determine the consequences of any consent they might give. To that end he or she must be able to assess the effects of their actions. The information given must be clearly comprehensible and not be subject to ambiguity or interpretation. It must be sufficiently detailed to enable the user to comprehend the functioning of the cookies actually resorted to. This includes both the duration of the operation of the cookies and the question of whether third parties are given access to the cookies.

Information on the duration of the operation of the cookies and third parties

The time period for storage of data collected must be clearly communicated to the user. In addition, a user should be explicitly informed whether third parties have access to the cookies set or not. Further, if third parties have access, their identity must be disclosed.