A Victory for Privacy as German Court Bans Tricky Consent Tactics Used by Big Tech
Germany’s highest civil court has ruled that bundling user consent with actions like clicking “Play” violates GDPR. This decision against Meta redefines how digital consent must be obtained.
Tired of apps sneaking off with your data the moment you click “Play”? Germany’s BGH court just called time on that shady game. In a major win for privacy, the court ruled that Meta’s old App Centre tricks violated GDPR. Here’s why this matters, and what it means for digital consent going forward.
German Court (BGH) Upholds GDPR Consent Rules: No More Sneaky “Play to Agree”
In a victory for user privacy and transparency, Germany’s Federal Court of Justice (BGH), the highest court for civil and criminal matters, has delivered a major ruling reinforcing core principles of the EU’s GDPR.
The case in question involved Meta (Facebook) and its App Center, and whether Facebook obtained valid consent from users to share data with third-party apps.
The BGH’s answer: No, it did not because users were not properly informed or asked. The ruling, issued on March 27, 2025, confirms that bundling consent with actions like clicking “Play” without clear disclosure violates the GDPR’s requirements for informed, freely given consent. It’s also significant because it affirms that consumer associations can sue over GDPR breaches, not just regulators, a boost for collective enforcement of privacy rights.
The origins of this case go way back to 2012, when the Federation of German Consumer Organisations (vzbv) sued Facebook over its App Center practices. In Facebook’s App Center, users could find free games and apps (think FarmVille et al. back in the day).
When a user clicked “Play Now” on a game, Facebook would automatically share the user’s data (like their name, email, friends list, etc.) with the game developer and allow the app certain permissions. There was a small notice stating that by clicking, the user agrees to this data transfer. But there was no separate consent checkbox or detailed info upfront. Essentially, “By clicking Play, you agree we give your data to this app”.
Post-GDPR (which came into effect in 2018), this practice was clearly dodgy. The case eventually led to a question for the European Court of Justice (CJEU) on whether consumer bodies could bring such privacy lawsuits.